Description

The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM.

Remediation

References

https://lists.apache.org/thread.html/rdd0e85b71bf0274471b40fa1396d77f7b2d1165eaea4becbdc69aa04%40%3Cuser.beam.apache.org%3E

Related Vulnerabilities

CVE-2021-30179 Vulnerability in maven package org.apache.dubbo:dubbo

CVE-2023-30514 Vulnerability in maven package org.jenkins-ci.plugins:azure-keyvault

CVE-2020-2202 Vulnerability in maven package org.jenkins-ci.plugins:fortify-on-demand-uploader

CVE-2023-28935 Vulnerability in maven package org.apache.uima:uima-ducc-parent

CVE-2023-50765 Vulnerability in maven package org.jenkins-ci.plugins:scriptler

Severity

High

Classification

CWE-295 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Vendor Advisory