CVE-2022-24280: Apache Pulsar Proxy target broker address isn't validated

Severity: important Description: Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to op

CVE-2022-33682: Apache Pulsar: Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack

Severity: high Description: TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulner

CVE-2022-33681: Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM

Severity: high Description: Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker

CVE-2022-33683: Apache Pulsar: Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack

Severity: high Description: Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are