CVE-2022-32531

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-32531

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32531.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-32531

Aliases

Downstream

UBUNTU-CVE-2022-32531

Published

2022-12-15T19:15:17.673Z

Modified

2026-03-14T11:47:44.094148Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack.

The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

References

https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9

Affected packages

Git / github.com/apache/bookkeeper

Affected ranges

Type

GIT

Repo

https://github.com/apache/bookkeeper

Events

Introduced

Fixed

a96884ec279f5fbcd628c7ae3791d99a8e19ca69

Introduced

Last affected

f771b7664f7f83ae4ae3e8eaa516c879c4bc7897

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.14.6"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.15.0-NA"
        }
    ]
}

Affected versions

release-4.*

release-4.15.0

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.15.0-rc0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32531.json"