CVE-2022-32531

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack.

The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

Published: Dec 15, 2022
Updated: Nov 8, 2023
CVE: CVE-2022-32531
GHSA: GHSA-gxq5-79m2-gvvq
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
apache / bookkeeper	4.15.0	4.15.0.x
apache / bookkeeper	4.15.0-rc0	4.15.0-rc0.x
apache / bookkeeper	-	4.14.6
org.apache.bookkeeper / bookkeeper-common	-	4.14.6
org.apache.bookkeeper / bookkeeper-common	4.15.0	4.15.0.x
org.apache.bookkeeper / bookkeeper-common	4.15.0	4.15.1

https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9

Vulnerability Database

CVE-2022-32531