CVE-2022-32531

CWE-295 — Improper Certificate Validation6 documents4 sources

Severity

5.9MEDIUM

EPSS

0.8%

top 25.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

2

Apache Bookkeeper Apache Software Foundation Apache Bookkeeper

Timeline

PublishedDec 15

Description

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶PyPIapache-bookkeeper-client< 4.14.6

▶NVDapache/bookkeeper< 4.14.6+1

▶Mavenorg.apache.bookkeeper:bookkeeper-common4.15.0 — 4.15.1+1

▶CVEListV5apache_software_foundation/apache_bookkeeper4.14.5+1

🔴Vulnerability Details

5

CVEList

Apache BookKeeper: Java Client Uses Connection to Host that Failed Hostname Verification↗2022-12-15

▶

OSV

CVE-2022-32531: The Apache Bookkeeper Java Client (before 4↗2022-12-15

▶

GHSA

Apache Bookkeeper vulnerable to Improper Certificate Validation↗2022-12-15

▶

OSV

CVE-2022-32531: The Apache Bookkeeper Java Client (before 4↗2022-12-15

▶

OSV

Apache Bookkeeper vulnerable to Improper Certificate Validation↗2022-12-15

▶

CVE-2022-32531 (MEDIUM CVSS 5.9) | The Apache Bookkeeper Java Client ( | cvebase.io