CVE-2022-32531 – Apache BookKeeper: Java Client Uses Connection to Host that Failed Hostname Verification

https://notcve.org/view.php?id=CVE-2022-32531

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1. El cliente Java Apache Bookkeeper (anteriores a 4.14.6 y también a 4.15.0) no cierra la conexión con el servidor de contabilidad cuando falla la verificación del nombre de host TLS. Esto deja al cliente bookkeeper vulnerable al ataque de man in the middle. El problema afecta al cliente BookKeeper anterior a las versiones 4.14.6 y 4.15.1. • https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9 • CWE-295: Improper Certificate Validation •