Veracode Vulnerability DatabaseVERACODE:37302Man-in-the-Middle (MitM)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
7.5%
org.apache.pulsar:pulsar-client-original is vulnerable to man-in-the-middle attacks. The vulnerability exists because the library does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration, which allows a remote attacker to take control of a machine between the client and the server, leading to MitM attacks.
References
github.com/apache/pulsar/commit/0348502a20694b58e6e79a467ca3a2142a90800f
github.com/apache/pulsar/commit/0cdf66ab7fc1a3681edf5776fe9bf817274bad96
github.com/apache/pulsar/commit/d63cc31d764efb076be9aa94d1ebe801b14e57a7
github.com/apache/pulsar/commit/d808271ba25285ab0b2a05e1d818aca4ac3cde60
github.com/apache/pulsar/pull/15824
lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x
www.cybersecurity-help.cz/vdb/SB2022092246
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
7.5%