GHSA-gxq5-79m2-gvvq

Suggest an improvement
Source
https://github.com/advisories/GHSA-gxq5-79m2-gvvq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-gxq5-79m2-gvvq/GHSA-gxq5-79m2-gvvq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gxq5-79m2-gvvq
Aliases
Published
2022-12-15T21:30:29Z
Modified
2024-02-16T08:13:45.163019Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Apache Bookkeeper vulnerable to Improper Certificate Validation
Details

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

Database specific 
{
    "nvd_published_at": "2022-12-15T19:15:00Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-15T23:33:41Z"
}
References

Affected packages

Maven / org.apache.bookkeeper:bookkeeper-common

Package

Name
org.apache.bookkeeper:bookkeeper-common
View open source insights on deps.dev
Purl
pkg:maven/org.apache.bookkeeper/bookkeeper-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.14.6

Affected versions

4.*

4.6.0
4.6.1
4.6.2
4.7.0
4.7.1
4.7.2
4.7.3
4.8.0
4.8.1
4.8.2
4.9.0
4.9.1
4.9.2
4.10.0
4.11.0
4.11.1
4.12.0
4.12.1
4.13.0
4.14.0
4.14.1
4.14.2
4.14.3
4.14.4
4.14.5

Maven / org.apache.bookkeeper:bookkeeper-common

Package

Name
org.apache.bookkeeper:bookkeeper-common
View open source insights on deps.dev
Purl
pkg:maven/org.apache.bookkeeper/bookkeeper-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
4.15.1

Affected versions

4.*

4.15.0