CVE-2022-33684 | Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation

Exp

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.

Published: 2022-11-04 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2022-33684 is rated High Exploit Risk (64.8/100): CVSS High severity, with low exploitation likelihood (EPSS 0.70%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2022-33684

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2022-33684

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.15% 0.70% +0.55%
2 2026-06-10 0.11% 0.15% +0.04%
3 2026-01-27 0.11%

Full EPSS history (12 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-33684

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.1 3.1 HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
2.2 5.9 [email protected]
8.1 3.1 HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
2.2 5.9 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2022-33684

GitHub Security Advisory for CVE-2022-33684

GHSA-5r3h-c3r7-9w4h · Severity: high · Ecosystem: pip — Apache Pulsar Disabled Certificate Validation for OAuth Client Credential Requests makes C++/Python Clients vulnerable to MITM attack

Affected software / configurations for CVE-2022-33684

Vendor Product Version Raw CPE
apache pulsar <= 2.6.4 cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
apache pulsar >= 2.7.0, < 2.7.5 cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
apache pulsar >= 2.8.0, < 2.8.4 cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
apache pulsar >= 2.9.0, < 2.9.3 cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
apache pulsar >= 2.10.0, < 2.10.2 cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*

References for CVE-2022-33684

URL Tags
https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f Exploit Issue Tracking Patch Third Party Advisory
https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv Issue Tracking Mailing List Vendor Advisory
cvelogic Threat Intelligence