Main Vulnerability Database Vulnerabilities #VU67594

Improper validation of certificate with host mismatch in Apache Pulsar - CVE-2022-33682

Published: September 22, 2022

Vulnerability identifier: #VU67594

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-33682

CWE-ID: CWE-297

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Pulsar

Detailed vulnerability description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client. A remote attacker can perform MitM attack.

How to mitigate CVE-2022-33682

Install updates from vendor's website.

Sources

https://seclists.org/oss-sec/2022/q3/227

Improper validation of certificate with host mismatch in Apache Pulsar - CVE-2022-33682

Detailed vulnerability description

How to mitigate CVE-2022-33682

Sources

Please verify you're human