CVE-2022-33682 – TLS hostname verification cannot be enabled in the Pulsar Broker’s Java Client, the Pulsar …

23 September 2022

Vuln ID: CVE-2022-33682

Published: 2022-09-23 10:15:10Z

Description: TLS hostname verification cannot be enabled in the Pulsar Broker’s Java Client, the Pulsar Broker’s Java Admin Client, the Pulsar WebSocket Proxy’s Java Client, and the Pulsar Proxy’s Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine ‘between’ the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

Source: NVD.NIST.GOV

Date:

23 September 2022

Categorie(s):

NVD

Tag(s):

NVD

10 Data Governance Services: What You Need to Know Before You Choose25 April 2024
All You Need To Know About Security And Privacy Score on Quick Heal antivirus25 April 2024
Nagomi Security raises $30 million to help security teams improve their level of protection25 April 2024
Alert! Cisco Releases Critical Security Updates to Fix 2 ASA Firewall 0-Days25 April 2024
Pakistani APT Hackers Attacking Indian Govt Entities With Weaponized Shortcut Files25 April 2024