CVE Vulnerability

CVE-2022-32531

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

5.9 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9 Mailing List Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:apache:bookkeeper:4.15.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:bookkeeper:4.15.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:bookkeeper:*:*:*:*:*:*:*:*
Information

Published : 2022-12-15 07:15

Updated : 2022-12-20 01:49

NVD link : CVE-2022-32531

Mitre link : CVE-2022-32531

Products Affected

Apache

Bookkeeper

CWE
CWE-295

Improper Certificate Validation