#VU67595 Improper Certificate Validation in Apache Pulsar - CVE-2022-33683
Published: September 22, 2022
Vulnerability identifier: #VU67595
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-33683
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Pulsar
Apache Pulsar
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. A remote attacker can perform MitM attack.
Remediation
Install updates from vendor's website.