CVE-2022-32531

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache Bookkeeper Java Client versions prior to 4.14.6 and 4.15.1

Description The Apache Bookkeeper Java Client does not close the connection to the bookkeeper server when TLS hostname verification fails, leaving it vulnerable to a man-in-the-middle attack.

Recommendations For versions prior to 4.14.6 and 4.15.1, update to version 4.14.6 or 4.15.1 or later to resolve the issue. As a temporary workaround, consider disabling TLS connections to the bookkeeper server until a patch is applied. Restrict access to the bookkeeper server to minimize the risk of exploitation.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2022-32531

GHSA-GXQ5-79M2-GVVQ

PYSEC-2022-43060

ROSA-SA-2023-2196

Affected Products

Apache Bookkeeper Java Client

CVE-2022-32531

Weakness Enumeration

Related Identifiers

Affected Products

References · 10