PYSEC-2022-43060

The Apache Bookkeeper Java Client before 4.14.6 and also 4.15.0 does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 a...

Design/Logic Flaw

The Apache Bookkeeper Java Client before 4.14.6 and also 4.15.0 does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 a...

CVE-2022-32531

The Apache Bookkeeper Java Client before 4.14.6 and also 4.15.0 does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 a...

Kubernetes: The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML

A code execution vulnerability was found in the io.kubernetes.client.util.generic.dynamic.Dynamics class of the Kubernetes Java Client version 17.0.0. The vulnerability was due to the use of SnakeYAML parser without safe constructor, which allowed an attacker to achieve code execution inside the...

CVE-2022-32531 Apache BookKeeper: Java Client Uses Connection to Host that Failed Hostname Verification

The Apache Bookkeeper Java Client before 4.14.6 and also 4.15.0 does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 a...

CVE-2022-32531 Apache BookKeeper: Java Client Uses Connection to Host that Failed Hostname Verification

The Apache Bookkeeper Java Client before 4.14.6 and also 4.15.0 does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 a...

Apache BookKeeper 信任管理问题漏洞

Apache BookKeeper is a scalable, fault-tolerant, and low-latency storage service optimized for real-time workloads from the Apache Foundation USA. A trust management issue vulnerability exists in the Apache Bookkeeper Java Client versions prior to 4.14.6 and prior to 4.15.0, which stems from a...

Path Traversal

io.fusionauth:fusionauth-java-client is vulnerable to path traversal. An attacker is able to view or retrieve any file readable by the current user, via a maliciously crafted HTTP request, which allows the attacker to gain access to sensitive information in the system...

mariadb-java-client bug fix and enhancement update

An update is available for mariadb-java-client. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list For detailed information on changes in this release, see the Rock...

google-oauth-client: Token signature not verified

A flaw was found in Google OAuth Java client's IDToken verifier, where it does not verify if the token is properly signed. This issue could allow an attacker to provide a compromised token with a custom payload that will pass the validation on the client side, allowing access to information outsi...

CVE-2022-33681

A flaw was found in the Apache Pulsar Java Client. This flaw allows an attacker to use a Man-in-the-Middle MITM attack, manipulating network traffic and gaining the client's authentication data...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of WebSphere Application Server Liberty. Vulnerability Details CVEID:CVE-2022-22476 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity...

Apache Pulsar Trust Management Issues Vulnerability

Apache Pulsar is the United States Apache Apache Foundation for cloud environments, set of messages, storage, lightweight functional computing as one of the distributed message flow platform. The software supports multi-tenancy, persistent storage, multi-machine room cross-region data replication...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions.

Summary BM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host...

Apache Pulsar Java Client vulnerable to Improper Certificate Validation

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication...

GHSA-C5FP-X2H5-VJV7 Apache Pulsar Java Client vulnerable to Improper Certificate Validation

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication...

CVE-2022-33682

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle...

Design/Logic Flaw

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle...

Authentication flaw

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication...

CVE-2022-33682

The CVE-2022-33682 entry describes a TLS hostname verification issue in Apache Pulsar components: Pulsar Broker, Proxy, and WebSocket Proxy (Java Clients and Admin Client) where hostname verification cannot be enabled for pulsar+ssl and HTTPS. Root cause: hostname verification disabled, enabling ...