CVE-2022-33684
CVE-2022-33684 is a high-severity vulnerability in Apache Pulsar with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-295.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- EPSS exploit prediction: 1% (49th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-295
- Affected product: Apache Pulsar
- Published:
- Last modified:
Description
The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.
Frequently asked questions
- What is CVE-2022-33684?
- The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.
- How severe is CVE-2022-33684?
- CVE-2022-33684 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-33684 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (49th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-33684?
- CVE-2022-33684 affects Apache Pulsar. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-33684?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-33684 published?
- CVE-2022-33684 was published on 2022-11-04 and last updated on 2026-06-17.
References
- https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f
- https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv
Affected products (1)
- cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
More vulnerabilities in Apache Pulsar
- CVE-2021-22160 — Critical (CVSS 9.8): If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of…
- CVE-2023-30429 — Critical (CVSS 9.6): Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar:…
- CVE-2024-27894 — High (CVSS 8.5): The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the…
- CVE-2024-27135 — High (CVSS 8.5): Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java…
- CVE-2024-27317 — High (CVSS 8.4): In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip…
- CVE-2022-34321 — High (CVSS 8.2): Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint…
All CVEs affecting Apache Pulsar →
Other CWE-295 (Improper Certificate Validation) vulnerabilities
- CVE-2026-4370 — Critical (CVSS 10.0): A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the…
- CVE-2026-30836 — Critical (CVSS 10.0): Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6…
- CVE-2025-68121 — Critical (CVSS 10.0): During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between…
- CVE-2022-20703 — Critical (CVSS 10.0): Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker…
- CVE-2021-1471 — Critical (CVSS 9.9): Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms…
- CVE-2026-20184 — Critical (CVSS 9.8): A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed…
Browse all CWE-295 (Improper Certificate Validation) vulnerabilities →