Home > Vulnerability Database > CVE-2022-33683

Mend.io Vulnerability Database

CVE-2022-33683

Good to know:

Date: September 23, 2022

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

Language: Java

Severity Score

5.9

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-33683

Url: https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x

Url: https://www.mend.io/vulnerability-database/CVE-2022-33683

Severity Score

5.9

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Top Fix

Upgrade Version

Upgrade to version org.apache.pulsar:pulsar-proxy:2.7.5,2.8.4,2.9.3,2.10.1;org.apache.pulsar:pulsar-broker:2.7.5,2.8.4,2.9.3,2.10.1

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-33683

Good to know:

Date: September 23, 2022

Language: Java

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?