1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-GXQ5-79M2-GVVQ

[MAVEN:GHSA-GXQ5-79M2-GVVQ] Apache Bookkeeper vulnerable to Improper Certificate Validation

Severity Moderate
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

Package Affected Version
pkg:maven/org.apache.bookkeeper/bookkeeper-common = 4.15.0
pkg:maven/org.apache.bookkeeper/bookkeeper-common < 4.14.6
Package Fixed Version
pkg:maven/org.apache.bookkeeper/bookkeeper-common = 4.15.1
pkg:maven/org.apache.bookkeeper/bookkeeper-common = 4.14.6
ID
MAVEN:GHSA-GXQ5-79M2-GVVQ
Severity
moderate
URL
https://github.com/advisories/GHSA-gxq5-79m2-gvvq
Published
2022-12-15T21:30:29
(21 months ago)
Modified
2023-11-07T22:10:21
(10 months ago)
Rights
Maven Security Team
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.apache.bookkeeper/bookkeeper-common org.apache.bookkeeper bookkeeper-common = 4.15.0
Fixed pkg:maven/org.apache.bookkeeper/bookkeeper-common org.apache.bookkeeper bookkeeper-common = 4.15.1
Affected pkg:maven/org.apache.bookkeeper/bookkeeper-common org.apache.bookkeeper bookkeeper-common < 4.14.6
Fixed pkg:maven/org.apache.bookkeeper/bookkeeper-common org.apache.bookkeeper bookkeeper-common = 4.14.6
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date