CVE-2022-33681: CWE-295 Improper Certificate Validation in Apache Software Foundation Apache Pulsar
Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
AI Analysis
Technical Summary
CVE-2022-33681 is a medium severity vulnerability affecting the Apache Pulsar Java Client and Pulsar Proxy components, specifically versions 2.6 and earlier through 2.10.0. The vulnerability arises from improper TLS certificate validation, classified under CWE-295 (Improper Certificate Validation). In this case, the Pulsar Java Client and Proxy delay hostname verification during TLS handshake, which means that authentication data is transmitted before the client verifies that the server's TLS certificate hostname matches the intended server. This flaw allows a man-in-the-middle (MitM) attacker, who has control over a network position between the client and server, to intercept authentication credentials by presenting a valid TLS certificate for a different hostname. Although the client eventually detects the mismatch and closes the connection, the authentication data—such as tokens or username/password credentials—has already been sent and can be captured by the attacker. The impact depends on the authentication method used; token-based and username/password authentication are particularly vulnerable because the stolen credentials can be reused to impersonate the client in separate sessions. Exploitation requires the attacker to actively manipulate network traffic and present a cryptographically valid but mismatched certificate. The vulnerability affects connections from the Pulsar Java Client to the Pulsar Broker or Proxy, as well as from the Pulsar Proxy to the Pulsar Broker. No known exploits are reported in the wild as of the published date. The CVSS v3.1 base score is 5.9, reflecting a medium severity with network attack vector, high complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality impact but no integrity or availability impact.
Potential Impact
For European organizations using Apache Pulsar, especially those deploying the Java Client and Proxy components in their messaging infrastructure, this vulnerability poses a risk of credential exposure to MitM attackers. Given that Pulsar is often used in real-time data streaming and messaging applications, exposure of authentication tokens or credentials could lead to unauthorized access to messaging systems, data leakage, and potential lateral movement within enterprise networks. This is particularly critical for sectors with stringent data protection requirements such as finance, healthcare, and critical infrastructure. The delayed hostname verification could undermine trust in secure communications, potentially leading to compliance issues under GDPR if personal data is compromised. Since the vulnerability requires network-level MitM capability, organizations with exposed or poorly segmented network environments are at higher risk. The impact is mitigated somewhat by the requirement for the attacker to present a valid certificate for an unrelated host, which may limit exploitability to sophisticated attackers capable of obtaining such certificates or compromising certificate authorities.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Upgrade Apache Pulsar Java Client and Proxy components to versions where this issue is fixed (versions later than 2.10.0 or patched releases once available). 2) Implement strict network segmentation and use encrypted VPN tunnels or private networks to reduce the risk of MitM attacks on Pulsar communication channels. 3) Employ certificate pinning or strict hostname verification configurations if supported by the client to ensure early validation of server certificates before sending authentication data. 4) Monitor network traffic for unusual TLS certificate anomalies or unexpected certificate authorities to detect potential MitM attempts. 5) Use stronger authentication methods that minimize credential exposure, such as mutual TLS authentication or short-lived tokens with limited scope and lifetime. 6) Regularly audit and rotate authentication credentials used by Pulsar clients to limit the window of opportunity for attackers. 7) Educate network and security teams about this vulnerability to ensure rapid response to suspicious network activity involving Pulsar components.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-33681: CWE-295 Improper Certificate Validation in Apache Software Foundation Apache Pulsar
Description
Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
AI-Powered Analysis
Technical Analysis
CVE-2022-33681 is a medium severity vulnerability affecting the Apache Pulsar Java Client and Pulsar Proxy components, specifically versions 2.6 and earlier through 2.10.0. The vulnerability arises from improper TLS certificate validation, classified under CWE-295 (Improper Certificate Validation). In this case, the Pulsar Java Client and Proxy delay hostname verification during TLS handshake, which means that authentication data is transmitted before the client verifies that the server's TLS certificate hostname matches the intended server. This flaw allows a man-in-the-middle (MitM) attacker, who has control over a network position between the client and server, to intercept authentication credentials by presenting a valid TLS certificate for a different hostname. Although the client eventually detects the mismatch and closes the connection, the authentication data—such as tokens or username/password credentials—has already been sent and can be captured by the attacker. The impact depends on the authentication method used; token-based and username/password authentication are particularly vulnerable because the stolen credentials can be reused to impersonate the client in separate sessions. Exploitation requires the attacker to actively manipulate network traffic and present a cryptographically valid but mismatched certificate. The vulnerability affects connections from the Pulsar Java Client to the Pulsar Broker or Proxy, as well as from the Pulsar Proxy to the Pulsar Broker. No known exploits are reported in the wild as of the published date. The CVSS v3.1 base score is 5.9, reflecting a medium severity with network attack vector, high complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality impact but no integrity or availability impact.
Potential Impact
For European organizations using Apache Pulsar, especially those deploying the Java Client and Proxy components in their messaging infrastructure, this vulnerability poses a risk of credential exposure to MitM attackers. Given that Pulsar is often used in real-time data streaming and messaging applications, exposure of authentication tokens or credentials could lead to unauthorized access to messaging systems, data leakage, and potential lateral movement within enterprise networks. This is particularly critical for sectors with stringent data protection requirements such as finance, healthcare, and critical infrastructure. The delayed hostname verification could undermine trust in secure communications, potentially leading to compliance issues under GDPR if personal data is compromised. Since the vulnerability requires network-level MitM capability, organizations with exposed or poorly segmented network environments are at higher risk. The impact is mitigated somewhat by the requirement for the attacker to present a valid certificate for an unrelated host, which may limit exploitability to sophisticated attackers capable of obtaining such certificates or compromising certificate authorities.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Upgrade Apache Pulsar Java Client and Proxy components to versions where this issue is fixed (versions later than 2.10.0 or patched releases once available). 2) Implement strict network segmentation and use encrypted VPN tunnels or private networks to reduce the risk of MitM attacks on Pulsar communication channels. 3) Employ certificate pinning or strict hostname verification configurations if supported by the client to ensure early validation of server certificates before sending authentication data. 4) Monitor network traffic for unusual TLS certificate anomalies or unexpected certificate authorities to detect potential MitM attempts. 5) Use stronger authentication methods that minimize credential exposure, such as mutual TLS authentication or short-lived tokens with limited scope and lifetime. 6) Regularly audit and rotate authentication credentials used by Pulsar clients to limit the window of opportunity for attackers. 7) Educate network and security teams about this vulnerability to ensure rapid response to suspicious network activity involving Pulsar components.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- apache
- Date Reserved
- 2022-06-15T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f99000acd01a249270040
Added to database: 5/22/2025, 9:37:04 PM
Last enriched: 7/8/2025, 5:10:51 AM
Last updated: 8/12/2025, 4:10:59 AM
Views: 14
Related Threats
CVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-50862: n/a
MediumCVE-2025-50861: n/a
HighCVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.