CVE-2022-32531 – apache-bookkeeper-client

Package

Manager: pip
Name: apache-bookkeeper-client
Vulnerable Version: =4.10.0 || =4.11.0 || =4.11.1 || =4.12.0 || =4.12.0a0 || =4.12.1 || =4.13.0 || =4.14.0 || =4.14.1 || =4.14.2 || =4.14.5 || =4.9.0 || =4.9.0a1 || =4.9.0a2 || =4.9.0a3 || =4.9.1 || =4.9.2 || >=0 <4.14.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00125 pctl0.32553

Details

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

Metadata

Created: 2022-12-15T19:15:00Z
Modified: 2023-11-08T04:09:36.700014Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F163
Auto approve: 1