CVE-2022-32531

{"id": "CVE-2022-32531", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2022-12-15T19:15:17.673", "references": [{"url": "https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9", "tags": ["Mailing List", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves\nthe bookkeeper client vulnerable to a man in the middle attack.\n\nThe problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1."}, {"lang": "es", "value": "El cliente Java Apache Bookkeeper (anteriores a 4.14.6 y tambi\u00e9n a 4.15.0) no cierra la conexi\u00f3n con el servidor de contabilidad cuando falla la verificaci\u00f3n del nombre de host TLS. Esto deja al cliente bookkeeper vulnerable al ataque de man in the middle. El problema afecta al cliente BookKeeper anterior a las versiones 4.14.6 y 4.15.1."}], "lastModified": "2025-04-17T19:15:53.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:bookkeeper:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "165DDEED-2AA8-4C6A-9A17-2F5639812306", "versionEndExcluding": "4.14.6"}, {"criteria": "cpe:2.3:a:apache:bookkeeper:4.15.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEB56DB4-7402-4BE9-B580-6AD8E18BD6D5"}, {"criteria": "cpe:2.3:a:apache:bookkeeper:4.15.0:rc0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "25931EF6-B967-4782-86EE-65764DD46FE1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}