CVE-2022-32531

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-32531

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32531.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-32531

Aliases

Related

UBUNTU-CVE-2022-32531

Published

2022-12-15T19:15:17Z

Modified

2024-09-03T04:16:59.521476Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack.

The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

References

https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9

Affected packages

Git / github.com/apache/bookkeeper

Affected ranges

Type: GIT
Repo: https://github.com/apache/bookkeeper
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a96884ec279f5fbcd628c7ae3791d99a8e19ca69

Affected versions

release-4.*

release-4.14.0

release-4.14.1

release-4.14.2

release-4.14.3

release-4.14.4

release-4.14.4-docker

release-4.14.5