CVE-2022-33682

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

5.9MEDIUM

EPSS

0.3%

top 48.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Pulsar Apache Software Foundation Apache Pulsar

Timeline

PublishedSep 23

Latest updateSep 25

Description

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶Mavenorg.apache.pulsar:pulsar-proxy2.8.0 — 2.8.4+3

▶Mavenorg.apache.pulsar:pulsar-broker2.8.0 — 2.8.4+3

▶NVDapache/pulsar2.8.0 — 2.8.4+3

▶CVEListV5apache_software_foundation/apache_pulsar2.7 — 2.7.4+4

🔴Vulnerability Details

GHSA

Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation↗2022-09-25

▶

OSV

Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation↗2022-09-25

▶

CVEList

Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack↗2022-09-23

▶