VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-uww6-myb1-xycu

Essentials
Severities (16)
References (7)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-uww6-myb1-xycu
Aliases	CVE-2022-33684 GHSA-5r3h-c3r7-9w4h
Summary	The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-295	Improper Certificate Validation
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-33684
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-33684
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-33684
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-5r3h-c3r7-9w4h
cvssv3.1	8.1	https://github.com/apache/pulsar-client-cpp
generic_textual	HIGH	https://github.com/apache/pulsar-client-cpp
cvssv3.1	8.1	https://github.com/apache/pulsar/pull/16064
generic_textual	HIGH	https://github.com/apache/pulsar/pull/16064
cvssv3.1	8.1	https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f
generic_textual	HIGH	https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f
ssvc	Track	https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f
cvssv3.1	8.1	https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv
generic_textual	HIGH	https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv
ssvc	Track	https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv
cvssv3.1	8.1	https://nvd.nist.gov/vuln/detail/CVE-2022-33684
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-33684

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-33684
		https://github.com/apache/pulsar-client-cpp
		https://github.com/apache/pulsar/pull/16064
CVE-2022-33684		https://nvd.nist.gov/vuln/detail/CVE-2022-33684
df89b724-3201-47aa-b8cd-282e112a566f		https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f
GHSA-5r3h-c3r7-9w4h		https://github.com/advisories/GHSA-5r3h-c3r7-9w4h
ky1ssskvkj00y36k7nys9b5gm5jjrzwv		https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/pulsar-client-cpp

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/pulsar/pull/16064

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-02T18:56:43Z/ Found at https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-02T18:56:43Z/ Found at https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-33684

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.36001
EPSS Score	0.00155
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:39:50.637115+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2022/33xxx/CVE-2022-33684.json	38.6.0