Description

The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM.

Remediation

References

https://lists.apache.org/thread.html/rdd0e85b71bf0274471b40fa1396d77f7b2d1165eaea4becbdc69aa04%40%3Cuser.beam.apache.org%3E

Related Vulnerabilities

CVE-2020-2166 Vulnerability in maven package de.taimos:pipeline-aws

CVE-2022-41234 Vulnerability in maven package org.jenkins-ci.plugins:rundeck

CVE-2020-1695 Vulnerability in maven package org.jboss.resteasy:resteasy-jaxrs-all

CVE-2019-1003087 Vulnerability in maven package org.jenkins-ci.plugins:labmanager

CVE-2022-45395 Vulnerability in maven package com.thalesgroup.jenkins-ci.plugins:cccc

Severity

High

Classification

CWE-295 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Vendor Advisory