CVE-2022-32531

CVE-2022-32531: Apache BookKeeper: Java Client Uses Connection to Host that Failed Hostname Verification

Vendor Apache Software Foundation

Product Apache BookKeeper

Weakness CWE-295

Published December 15, 2022

Last update April 17, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

Key dates

Disclosure timeline

December 15, 2022 CVE published

April 17, 2025 Record updated

Identifiers

CVE CVE-2022-32531

CWE CWE-295

Affected versions

Vendor Apache Software Foundation

Product Apache BookKeeper

Affected ≤ 4.14.5

Vendor Apache Software Foundation

Product Apache BookKeeper

Affected 4.15.0