cnvd - cnvd-2024-01019

cnvd-2024-01019

Vulnerability from cnvd

Title: Apache Pulsar WebSocket Proxy拒绝服务漏洞

Description:

Apache Pulsar是美国阿帕奇（Apache）基金会的一个用于云环境种，集消息、存储、轻量化函数式计算为一体的分布式消息流平台。

Apache Pulsar WebSocket Proxy存在拒绝服务漏洞，攻击者可利用该漏洞导致拒绝服务。

Severity: 高

Patch Name: Apache Pulsar WebSocket Proxy拒绝服务漏洞的补丁

Patch Description:

Apache Pulsar是美国阿帕奇（Apache）基金会的一个用于云环境种，集消息、存储、轻量化函数式计算为一体的分布式消息流平台。

Apache Pulsar WebSocket Proxy存在拒绝服务漏洞，攻击者可利用该漏洞导致拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m

Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-37544

Impacted products

Name
['Apache Pulsar WebSocket Proxy >=2.8.0，<=2.8. ', 'Apache Pulsar WebSocket Proxy >=2.9.0，<=2.9. ', 'Apache Pulsar WebSocket Proxy >=2.10.0，<=2.10.4', 'Apache Pulsar WebSocket Proxy >=2.11.0，<=2.11.1', 'Apache Pulsar WebSocket Proxy 3.0.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-37544",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-37544"
    }
  },
  "description": "Apache Pulsar\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7528\u4e8e\u4e91\u73af\u5883\u79cd\uff0c\u96c6\u6d88\u606f\u3001\u5b58\u50a8\u3001\u8f7b\u91cf\u5316\u51fd\u6570\u5f0f\u8ba1\u7b97\u4e3a\u4e00\u4f53\u7684\u5206\u5e03\u5f0f\u6d88\u606f\u6d41\u5e73\u53f0\u3002\n\nApache Pulsar WebSocket Proxy\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-01019",
  "openTime": "2024-01-08",
  "patchDescription": "Apache Pulsar\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7528\u4e8e\u4e91\u73af\u5883\u79cd\uff0c\u96c6\u6d88\u606f\u3001\u5b58\u50a8\u3001\u8f7b\u91cf\u5316\u51fd\u6570\u5f0f\u8ba1\u7b97\u4e3a\u4e00\u4f53\u7684\u5206\u5e03\u5f0f\u6d88\u606f\u6d41\u5e73\u53f0\u3002\r\n\r\nApache Pulsar WebSocket Proxy\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Pulsar WebSocket Proxy\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Pulsar WebSocket Proxy \u003e=2.8.0\uff0c\u003c=2.8. *",
      "Apache Pulsar WebSocket Proxy \u003e=2.9.0\uff0c\u003c=2.9. *",
      "Apache Pulsar WebSocket Proxy \u003e=2.10.0\uff0c\u003c=2.10.4",
      "Apache Pulsar WebSocket Proxy \u003e=2.11.0\uff0c\u003c=2.11.1",
      "Apache Pulsar WebSocket Proxy 3.0.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-37544",
  "serverity": "\u9ad8",
  "submitTime": "2023-12-22",
  "title": "Apache Pulsar WebSocket Proxy\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2023-37544 (GCVE-0-2023-37544)

Vulnerability from cvelistv5

Published

2023-12-20 08:34

Modified

2025-02-13 17:01

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-287 - Improper Authentication

Summary

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.

References

▼	URL	Tags
	https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m	vendor-advisory
	http://www.openwall.com/lists/oss-security/2023/12/20/2

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Pulsar WebSocket Proxy	Version: 2.8.0 ≤ 2.8.* Version: 2.9.0 ≤ 2.9.* Version: 2.10.0 ≤ 2.10.4 Version: 2.11.0 ≤ 2.11.1 Version: 3.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:16:30.560Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/12/20/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Pulsar WebSocket Proxy",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.8.*",
              "status": "affected",
              "version": "2.8.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.9.*",
              "status": "affected",
              "version": "2.9.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.10.4",
              "status": "affected",
              "version": "2.10.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.11.1",
              "status": "affected",
              "version": "2.11.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "3.0.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Michael Marshall of DataStax"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.\u003cbr\u003e\u003cbr\u003eThe known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.\u003cbr\u003e\u003cbr\u003e2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\u003cbr\u003e2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\u003cbr\u003e3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\u003cbr\u003e3.1 Pulsar WebSocket Proxy users are unaffected.\u003cbr\u003eAny users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions."
            }
          ],
          "value": "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.\n\nThis issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.\n\nThe known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.\n\n2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\n2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\n3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\n3.1 Pulsar WebSocket Proxy users are unaffected.\nAny users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-20T08:35:06.415Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/12/20/2"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-37544",
    "datePublished": "2023-12-20T08:34:02.393Z",
    "dateReserved": "2023-07-07T05:55:37.670Z",
    "dateUpdated": "2025-02-13T17:01:29.212Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted