Apache Pulsar Disabled Certificate Validation for OAuth Client Credential Requests makes C++/Python Clients vulnerable to MITM attack

🗓️ 04 Nov 2022 19:01:17Reported by GitHub Advisory DatabaseType

Apache Pulsar Client Credential Flow Vulnerabilit

Reporter	Title	Published	Views	Family All 15
BDU FSTEC	The vulnerabilities of the Pulsar C++ Client and Pulsar Python Client components of the cloud platform for distributed messaging and Apache Pulsar’s streaming communication allow attackers to execute “man-in-the-middle” attacks.	16 Dec 202200:00	–	bdu_fstec
Circl	CVE-2022-33684	4 Nov 202215:28	–	circl
CNNVD	Apache Pulsar 信任管理问题漏洞	4 Nov 202200:00	–	cnnvd
CNVD	Apache Pulsar Trust Management Issue Vulnerability (CNVD-2022-83591)	8 Nov 202200:00	–	cnvd
CVE	CVE-2022-33684	4 Nov 202200:00	–	cve
Cvelist	CVE-2022-33684 Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation	4 Nov 202200:00	–	cvelist
Huntr	SSL verification omitted in OAuth2 credential flow	10 Mar 202217:24	–	huntr
EUVD	EUVD-2022-7246	3 Oct 202520:07	–	euvd
NVD	CVE-2022-33684	4 Nov 202212:15	–	nvd
OSV	GHSA-5R3H-C3R7-9W4H Apache Pulsar Disabled Certificate Validation for OAuth Client Credential Requests makes C++/Python Clients vulnerable to MITM attack	4 Nov 202219:01	–	osv

Vulners

Node

pulsar-clientRange2.10.0–2.10.2pip

pulsar-clientRange2.9.0–2.9.3pip

pulsar-clientRange2.8.0–2.8.4pip

pulsar-clientRange<2.7.5pip

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2022-33684
lists	www.lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv
github	www.github.com/apache/pulsar/pull/16064
huntr	www.huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f
github	www.github.com/advisories/GHSA-5r3h-c3r7-9w4h

28 Jan 2023 05:06Current

7.9High risk

Vulners AI Score7.9

CVSS 3.18.1

EPSS0.00155

SSVC