Veracode Vulnerability DatabaseVERACODE:37301Man-in-the-Middle (MitM)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
7.5%
org.apache.pulsar:pulsar-proxy is vulnerable to man-in-the-middle attacks. The exploitation of this vulnerability is possible because of the delayed TLS hostname verification, which allows a remote attacker to take control of a machine between the client and the server, leading to confidential authentication data exposure.
References
github.com/apache/pulsar/commit/0348502a20694b58e6e79a467ca3a2142a90800f
github.com/apache/pulsar/commit/0cdf66ab7fc1a3681edf5776fe9bf817274bad96
github.com/apache/pulsar/commit/d63cc31d764efb076be9aa94d1ebe801b14e57a7
github.com/apache/pulsar/commit/d808271ba25285ab0b2a05e1d818aca4ac3cde60
github.com/apache/pulsar/pull/15824
lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d
www.cybersecurity-help.cz/vdb/SB2022092246
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
7.5%