CVE-2023-37544

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.<br /> <br /> This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.<br /> <br /> The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.<br /> <br /> 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.<br /> 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.<br /> 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.<br /> 3.1 Pulsar WebSocket Proxy users are unaffected.<br /> Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.