CVE-2022-33681: 
Java vulnerability analysis and mitigation

Delayed TLS hostname verification in the Apache Pulsar Java Client and the Pulsar Proxy was identified as CVE-2022-33681. The vulnerability affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4, 2.8.0 to 2.8.3, 2.9.0 to 2.9.2, 2.10.0, and 2.6.4 and earlier. The issue involves connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker (NVD).

The vulnerability stems from authentication data being sent before verifying the server's TLS certificate matches the hostname. This improper certificate validation has been assigned a CVSS v3.1 Base Score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-295 (Improper Certificate Validation) (NVD).

The vulnerability exposes authentication data to potential attackers through a man-in-the-middle (MITM) attack. When exploited, an attacker could gain access to the client's authentication data, particularly affecting token-based authentication and username/password authentication methods, as this data could be used to impersonate the client in a separate session (NVD).

The vulnerability affects specific versions of Apache Pulsar Java Client, and users should upgrade to patched versions. The affected versions include 2.7.0 to 2.7.4, 2.8.0 to 2.8.3, 2.9.0 to 2.9.2, 2.10.0, and 2.6.4 and earlier (NVD).