Enrico Olivelli

**Name of the Vulnerable Software and Affected Versions** Apache Bookkeeper Java Client versions prior to 4.14.6 and 4.15.1 **Description** The Apache Bookkeeper Java Client does not close the connection to the bookkeeper server when TLS hostname verification fails, leaving it vulnerable to a man-in-the-middle attack. **Recommendations** For versions prior to 4.14.6 and 4.15.1, update to version 4.14.6 or 4.15.1 or later to resolve the issue. As a temporary workaround, consider disabling TLS connections to the bookkeeper server until a patch is applied. Restrict access to the bookkeeper server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar versions prior to 2.8.1 Apache Pulsar versions prior to 2.7.4 Apache Pulsar versions prior to 2.6.5 **Description** The issue allows access to data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API "get-message-by-id" requires the user to input a topic and a `ledger id`. The `ledger id` is a pointer to the data and is supposed to be a valid id for the topic. However, authorization controls are performed against the topic name, and there is no proper validation that the `ledger id` is valid in the context of such a ledger. This may allow a user to read from a ledger that contains data owned by another tenant. **Recommendations** For Apache Pulsar versions prior to 2.8.1, update to version 2.8.1 or later. For Apache Pulsar versions prior to 2.7.4, update to version 2.7.4 or later. For Apache Pulsar versions prior to 2.6.5, update to version 2.6.5 or later.