How severe is CVE-2022-33682?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2022-33682?

This is classified as CWE-295, which is a common weakness in software security.

CVE-2022-33682 - MEDIUM Severity | CVSS 5.9

Vulnerability Description

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

Related Vulnerabilities

CVE-2008-4989

MEDIUM

CVSS:5.9(Medium)

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certi...

CWE-2952008

CVE-2009-2408

MEDIUM

CVSS:5.9(Medium)

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the s...

CWE-2952009

CVE-2010-4237

MEDIUM

CVSS:5.9(Medium)

Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middl...

CWE-2952010

CVE-2010-4532

MEDIUM

CVSS:5.9(Medium)

offlineimap before 6.3.2 does not check for SSL server certificate validation when "ssl = yes" option is specified which can allow man-in-the-middle attacks.

CWE-2952010

CVE-2011-0199

MEDIUM

CVSS:5.9(Medium)

The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle ...

CWE-2952011

CVE-2012-1316

MEDIUM

CVSS:5.9(Medium)

Cisco IronPort Web Security Appliance does not check for certificate revocation which could lead to MITM attacks

CWE-2952012