CVE-2022-32531

EUVD-2022-0020
The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves
the bookkeeper client vulnerable to a man in the middle attack.

The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA-ADPADP
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
apachebookkeeper
𝑥
< 4.14.6
apachebookkeeper
4.15.0
apachebookkeeper
4.15.0:rc0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bookkeeper
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9
https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9