{"schema_version": "1.6.1", "id": "CVE-2022-24280", "summary": "Apache Pulsar Proxy target broker address isn't validated", "details": "Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address.\n\nWhen the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address.\nIt hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy.\n\nThis issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "2.7"}, {"last_affected": "2.7"}]}, {"type": "SEMVER", "events": [{"introduced": "2.8"}, {"last_affected": "2.8"}]}, {"type": "SEMVER", "events": [{"introduced": "2.9"}, {"last_affected": "2.9"}]}, {"type": "SEMVER", "events": [{"introduced": "2.6 and earlier"}, {"last_affected": "2.6 and earlier"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v"}]}