CVE-2023-37544

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-37544

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-37544.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-37544

Aliases

GHSA-83q5-whqp-r8jr

Published

2023-12-20T09:15:07.007Z

Modified

2026-02-11T13:32:32.824610Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.

This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8., from 2.9.0 through 2.9., from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.

The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.

2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.

References

Affected packages

Git / github.com/apache/pulsar

Affected ranges

Type: GIT
Repo: https://github.com/apache/pulsar
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

54359b6e85f6678695075ee9008102bfb7ee2bd6

Introduced

97ee1a114aa1e5df05d86a9dd47f7fe7a2194211

Fixed

ceed96f7af848120acb594ced7a19f9a727e640a

Affected versions

v2.*

v2.11.0

v2.11.0-candidate-5

v2.11.1

v2.11.1-candidate-2

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "pulsar-broker/src/test/java/org/apache/pulsar/schema/SchemaTest.java"
        },
        "deprecated": false,
        "id": "CVE-2023-37544-01be7070",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/apache/pulsar/commit/54359b6e85f6678695075ee9008102bfb7ee2bd6",
        "digest": {
            "line_hashes": [
                "319027563936777323725932753169257438003",
                "88069771271722581557456100273741509432",
                "69866954073204129775436475378392149347"
            ],
            "threshold": 0.9
        }
    },
    {
        "target": {
            "file": "pulsar-broker/src/main/java/org/apache/pulsar/broker/service/persistent/PersistentTopic.java"
        },
        "deprecated": false,
        "id": "CVE-2023-37544-2a4c3a71",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/apache/pulsar/commit/54359b6e85f6678695075ee9008102bfb7ee2bd6",
        "digest": {
            "line_hashes": [
                "90776908253300630271036441047504552361",
                "263527393613074932212636200396082243403",
                "108147411352264090683308385655949882978",
                "205483390786657811899489263854329209050"
            ],
            "threshold": 0.9
        }
    },
    {
        "target": {
            "file": "pulsar-broker/src/test/java/org/apache/pulsar/broker/service/OneWayReplicatorTest.java"
        },
        "deprecated": false,
        "id": "CVE-2023-37544-90664b8d",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/apache/pulsar/commit/54359b6e85f6678695075ee9008102bfb7ee2bd6",
        "digest": {
            "line_hashes": [
                "334729304425693659639474813950702659909",
                "32393583047290786992050492907573835443",
                "66310507714015534244125363862979886294",
                "68587414986154971026418673494815979840",
                "23112179922483889358532794892710897315",
                "85408819410003727436120676251699948073",
                "198953664169196744005841461012767872796",
                "283939251400028409056735645463578945213",
                "248274582007338798585113768952938250088",
                "246055166929366373652156196064975024189",
                "279814472349464913734179958323719289961"
            ],
            "threshold": 0.9
        }
    },
    {
        "target": {
            "function": "addSchemaIfIdleOrCheckCompatible",
            "file": "pulsar-broker/src/main/java/org/apache/pulsar/broker/service/persistent/PersistentTopic.java"
        },
        "deprecated": false,
        "id": "CVE-2023-37544-bae003ef",
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/apache/pulsar/commit/54359b6e85f6678695075ee9008102bfb7ee2bd6",
        "digest": {
            "function_hash": "272311384508637418272704652634332282349",
            "length": 477.0
        }
    },
    {
        "target": {
            "file": "pulsar-broker/src/main/java/org/apache/pulsar/broker/service/AbstractTopic.java"
        },
        "deprecated": false,
        "id": "CVE-2023-37544-d0d6c7fa",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/apache/pulsar/commit/54359b6e85f6678695075ee9008102bfb7ee2bd6",
        "digest": {
            "line_hashes": [
                "2854009802051236187372983301286665807",
                "95553794259511231542904845196676649246",
                "219907294133839062551859422758746442345",
                "187903478850896489708468160289630252309"
            ],
            "threshold": 0.9
        }
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-37544.json"