CVE-2022-32531 – org.apache.bookkeeper:bookkeeper-common

Package

Manager: maven
Name: org.apache.bookkeeper:bookkeeper-common
Vulnerable Version: >=0 <4.14.6 || =4.15.0 || >=4.15.0 <4.15.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00125 pctl0.32553

Details

Apache Bookkeeper vulnerable to Improper Certificate Validation The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

Metadata

Created: 2022-12-15T21:30:29Z
Modified: 2022-12-20T15:22:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-gxq5-79m2-gvvq/GHSA-gxq5-79m2-gvvq.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-gxq5-79m2-gvvq
Finding: F163
Auto approve: 1