CVE-2022-33684

CWE-295Improper Certificate Validation4 documents4 sources
Severity
8.1HIGH
EPSS
0.1%
top 70.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache PulsarApache Software Foundation Apache Pulsar
Timeline
PublishedNov 4

Description

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

PyPIpulsar-client2.8.02.8.4+3
NVDapache/pulsar2.7.02.7.5+4
CVEListV5apache_software_foundation/apache_pulsar2.72.7.4+4

Patches

Patch: huntr.devPatch: huntr.dev

🔴Vulnerability Details

3
CVEList
Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation2022-11-04
OSV
Apache Pulsar Disabled Certificate Validation for OAuth Client Credential Requests makes C++/Python Clients vulnerable to MITM attack2022-11-04
GHSA
Apache Pulsar Disabled Certificate Validation for OAuth Client Credential Requests makes C++/Python Clients vulnerable to MITM attack2022-11-04