GHSA-jvf3-mfxv-jcqr

Source

https://github.com/advisories/GHSA-jvf3-mfxv-jcqr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-jvf3-mfxv-jcqr/GHSA-jvf3-mfxv-jcqr.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-jvf3-mfxv-jcqr

Aliases

CVE-2022-33682

Published

2022-09-25T00:00:27Z

Modified

2023-11-01T04:59:11.712672Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation

Details

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

Database specific

{
    "nvd_published_at": "2022-09-23T10:15:00Z",
    "github_reviewed_at": "2022-09-30T00:09:24Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ]
}

References

Affected packages

Maven / org.apache.pulsar:pulsar-broker

Package

Name: org.apache.pulsar:pulsar-broker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-broker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.5

Affected versions

1.*

1.19.0-incubating

1.20.0-incubating

1.21.0-incubating

1.22.0-incubating

1.22.1-incubating

2.*

2.0.0-rc1-incubating

2.0.1-incubating

2.1.0-incubating

2.1.1-incubating

2.2.0

2.2.1

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

Maven / org.apache.pulsar:pulsar-proxy

Package

Name: org.apache.pulsar:pulsar-proxy; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-proxy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.5

Affected versions

1.*

1.19.0-incubating

1.20.0-incubating

1.21.0-incubating

1.22.0-incubating

1.22.1-incubating

2.*

2.0.0-rc1-incubating

2.0.1-incubating

2.1.0-incubating

2.1.1-incubating

2.2.0

2.2.1

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

Maven / org.apache.pulsar:pulsar-broker

Package

Name: org.apache.pulsar:pulsar-broker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-broker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.8.0

Fixed

2.8.4

Affected versions

2.*

2.8.0

2.8.1

2.8.2

2.8.3

Maven / org.apache.pulsar:pulsar-proxy

Package

Name: org.apache.pulsar:pulsar-proxy; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-proxy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.8.0

Fixed

2.8.4

Affected versions

2.*

2.8.0

2.8.1

2.8.2

2.8.3

Maven / org.apache.pulsar:pulsar-broker

Package

Name: org.apache.pulsar:pulsar-broker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-broker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.9.0

Fixed

2.9.3

Affected versions

2.*

2.9.0

2.9.1

2.9.2

Maven / org.apache.pulsar:pulsar-proxy

Package

Name: org.apache.pulsar:pulsar-proxy; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-proxy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.9.0

Fixed

2.9.3

Affected versions

2.*

2.9.0

2.9.1

2.9.2

Maven / org.apache.pulsar:pulsar-broker

Package

Name: org.apache.pulsar:pulsar-broker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-broker