CVE-2023-37544: 
Java vulnerability analysis and mitigation

An Improper Authentication vulnerability (CVE-2023-37544) was discovered in Apache Pulsar WebSocket Proxy that allows attackers to connect to the /pingpong endpoint without authentication. The vulnerability affects multiple versions of Apache Pulsar WebSocket Proxy including versions 2.8.0 through 2.8., 2.9.0 through 2.9., 2.10.0 through 2.10.4, 2.11.0 through 2.11.1, and 3.0.0. The vulnerability was disclosed on December 20, 2023 (Openwall Mailing List).

The vulnerability stems from an improper authentication implementation in the WebSocket Proxy component, specifically affecting the /pingpong endpoint. The issue has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-287 (Improper Authentication) (NVD).

The vulnerability can lead to two primary security impacts: a denial of service condition due to the WebSocket Proxy accepting any connections without proper authentication, and potential excessive data transfer resulting from misuse of the WebSocket ping/pong feature (Openwall Mailing List).

Users are advised to upgrade to patched versions: Pulsar WebSocket Proxy 2.10.x users should upgrade to at least version 2.10.5, 2.11.x users should upgrade to at least version 2.11.2, and 3.0.x users should upgrade to at least version 3.0.1. Users running versions 2.8, 2.9, and earlier should upgrade to one of these patched versions. Version 3.1 users are unaffected by this vulnerability (Openwall Mailing List).