Main Vulnerability Database Vulnerabilities #VU67595

Improper Certificate Validation in Apache Pulsar - CVE-2022-33683

Published: September 22, 2022

Vulnerability identifier: #VU67595

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-33683

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Pulsar

Detailed vulnerability description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. A remote attacker can perform MitM attack.

How to mitigate CVE-2022-33683

Install updates from vendor's website.

Sources

https://seclists.org/oss-sec/2022/q3/228

Improper Certificate Validation in Apache Pulsar - CVE-2022-33683

Detailed vulnerability description

How to mitigate CVE-2022-33683

Sources

Please verify you're human