{"id":"CVE-2022-33684","details":"The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.","aliases":["GHSA-5r3h-c3r7-9w4h"],"modified":"2026-02-11T14:40:38.209029Z","published":"2022-11-04T12:15:13.123Z","references":[{"type":"ADVISORY","url":"https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv"},{"type":"REPORT","url":"https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f"},{"type":"REPORT","url":"https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv"},{"type":"FIX","url":"https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f"},{"type":"ARTICLE","url":"https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv"},{"type":"EVIDENCE","url":"https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/pulsar","events":[{"introduced":"2318a180c06c5d885af8cbbbcdae4f2ea8468cc1"},{"fixed":"11b5df797b2e9cb48dfc38137f0b7ef736a8a47c"},{"introduced":"89ac98e4af363b09f2fe8e309539b0e35243aaee"},{"fixed":"02ee5616866d4eda8dd94f85d9d9b71c459f248d"},{"introduced":"b0c45952d063b754e387b3f9cbff279b9885b107"},{"fixed":"8eae5b8d572861e49c40d456b1f3cbc5d414afe1"},{"introduced":"bdd57b21a66b81aab72c4ec39d516ffd2a769c35"},{"fixed":"dd9a5f1f91651b634600f66c53dcc6ad855fb669"}]}],"versions":["v2.10.0","v2.10.0-candidate-5","v2.10.1","v2.10.1-candidate-1","v2.10.2-candidate-1","v2.10.2-candidate-2","v2.7.0","v2.7.0-candidate-2","v2.7.1","v2.7.1-candidate-1","v2.7.2","v2.7.2-candidate-1","v2.7.3","v2.7.3-candidate-1","v2.7.3-candidate-2","v2.7.4","v2.7.4-candidate-1","v2.7.4-candidate-2","v2.7.5-candidate-1","v2.7.5-candidate-2","v2.8.0","v2.8.0-candidate-3","v2.8.1","v2.8.1-candidate-1","v2.8.1-candidate-2","v2.8.1-candidate-3","v2.8.2","v2.8.2-candidate-1","v2.8.2-candidate-2","v2.8.3","v2.8.3-candidate-1","v2.8.3-candidate-2","v2.8.3-candidate-3","v2.8.3-candidate-4","v2.9.0","v2.9.0-candidate-4","v2.9.1","v2.9.1-candidate-1","v2.9.1-candidate-2","v2.9.2","v2.9.2-candidate-1","v2.9.2-candidate-2","v2.9.2-candidate-3","v2.9.2-candidate-4"],"database_specific":{"vanir_signatures":[{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-018afd53","signature_type":"Line","target":{"file":"pulsar-client/src/test/java/org/apache/pulsar/client/impl/schema/StringSchemaTest.java"},"digest":{"line_hashes":["91299493241227289138219011890481713650","293218772531617950389975596110670759057","140077000497705656388338330869846976962","164395833436490618467481649205346938845","87072410201678472616001715298567322317","89200512575109241000101935683598983219","250460567596665958124478341582939894804","198180705343404395870584065502239851675","294495619462321533305764799670587196507","23716380403608855101694856944371042298","222280736005963480416220141900454631647","164395833436490618467481649205346938845","103407127692185112510822500503379797263","69845556192081712382847691371405411766","154565217289115847039917047427936741059","112181499091864473123113347345911281145"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-0b0cac83","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/IntSchema.java"},"digest":{"line_hashes":["120180531927168030273330870341841465608","1802352699267687258845696030946178565","154367080893460698125699013501612136772","331800496060915253044013743870344172518","138463032092823247695023880102303991936","49768789874527134591743115113204225850","144549466109294967950254135746713195949"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1","signature_version":"v1","id":"CVE-2022-33684-12259f2a","signature_type":"Function","target":{"function":"ClientCredentialFlow::authenticate","file":"pulsar-client-cpp/lib/auth/AuthOauth2.cc"},"digest":{"function_hash":"277975139527168023542583758241860614296","length":2292}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-1b190a04","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/ByteSchema.java"},"digest":{"line_hashes":["243749633182857913887429195168062343065","197185635622926938513298947660734873244","194549953847456973187234002070514712940","238258146877006868377177260026094677945","163780234401669528272353462185489627747","86459475240984229038852772753609506556","98232164322292017208710250110348892507"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-1f89b3f3","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/DateSchema.java"},"digest":{"line_hashes":["208925788192972487895328524267790615408","41872122816247914962358252656204441116","154807324759873900951547259801617244200","52899752285897179125560522475947745588","167797046975100294249413920524728424873","210824240728046225635592238488909737757","200539697147331918971892166376199438652"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-2318960b","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/LocalDateSchema.java"},"digest":{"line_hashes":["52946736806071803826382092735853705779","101588252213583647289207509397439715613","171206648021249392794941859597596463288","168125485604857351593254216463248380921","218295309328474409725133139026345735382","26156066276272052862047938547867755559","105484062620966509236636547901655472634"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-33d699a0","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/FloatSchema.java"},"digest":{"line_hashes":["289671782172750256001490698287054204719","65508458989669512366918442483881970899","115045567674337589287627491358169843006","84291760149949043533801866190760924780","240543810731989950781518414290576124352","245237136018331864047459032648561622825","301667977866025905681474814595769826557"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-3bb02989","signature_type":"Line","target":{"file":"pulsar-common/src/main/java/org/apache/pulsar/client/impl/schema/SchemaInfoImpl.java"},"digest":{"line_hashes":["233308060926403110506156505076798706173","54238498524312850006515375828289772134","106206185923640030783465551816232486181","226214945375596959798255311954700833643","81441358127524768978579215715808700437","276870434901186214210076268394780596026","310028929084957400185809330056001915103","259021247094550820805579516475971473206","32183445277219977728504339977780053214","207933417419992820419328207358637688775","281314854348226782420634185187658300737","216036382171585479031206010888761411894","132039010602423849832791459466599196181","97173416403392533312851118509825216886","164693877081251816875304388934857607863","167294464545518048845392529583898418097","229444914460369587654408788820805549246","10857647438935952956089641391418158558","267113516890850718206651878822844711916","45549329087375087451805731208810915788","18383778746734920990183084355074325984","169378246925575068623058973911179350682","247393264812008909067805984467929891100","73147249945029299712246104347285964974","76548581139623182541063414624682227604"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-3f11defa","signature_type":"Function","target":{"function":"getSchemaHash","file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/MessageImpl.java"},"digest":{"function_hash":"313819779944555373745984098106598201978","length":112}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-42d65d8a","signature_type":"Function","target":{"function":"testSchemaInfoWithCharset","file":"pulsar-client/src/test/java/org/apache/pulsar/client/impl/schema/StringSchemaTest.java"},"digest":{"function_hash":"174437369741615366848566639657410201131","length":658}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-4af9b614","signature_type":"Function","target":{"function":"of","file":"pulsar-common/src/main/java/org/apache/pulsar/common/protocol/schema/SchemaHash.java"},"digest":{"function_hash":"116115349111518063228880456678819155890","length":285}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-4eb697d0","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/DoubleSchema.java"},"digest":{"line_hashes":["201363055482624329141112235971872958856","13383620033929383068469158132264901216","85106268843646334785387897712834739320","333845028928371364413230132874015649195","154781549404708705101598336607964869650","181880369018801793716393542732541683746","118350599298049934523014208563931525214"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-510dfd60","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/ByteBufferSchema.java"},"digest":{"line_hashes":["66680545020764664798897707077745689964","286614985413669995834595083963308185166","148843007737225992319970717761112763338","89682075701072985010369574930669892281","63779335472367594549425388749965178416","112354829756310038650969351858597745662","168261878107017784265010894612486268637"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-55daee50","signature_type":"Line","target":{"file":"pulsar-common/src/main/java/org/apache/pulsar/common/protocol/schema/SchemaHash.java"},"digest":{"line_hashes":["195375706127683888848450948037970303664","17117672817161810348734621269739317855","231309723865599866905306047984136164401","161553770192237310709361901468894021808","113238818608137189066882214058058031920","40165111051403970036898628650341271274","44676919061592925330942534465866650747","232535974321241317328057496800658925034","164976800130541603928953746522327210239","264726592062504120942691846972178737467","167660914945896900152709190887224295674","110221327299407034034494175758397587692","66518373391408985194157842002442442898","43516831086088421275901398038820688389","266761023412145593284159274402790030051","50313002727478787682288187443654759552","181679024339746157014075044848805946240","148576300982835742640811551755432216359","52865848820681740330292747048232953325","257772546415234472598332452199158876550","171904447082642215054627009288941173061","67253810001783690911442982900193803880","330370269798237421872305888098019190214","24054357040896643557460677093143456017"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-5793915e","signature_type":"Function","target":{"function":"testKeyValueSchemaInfoBackwardCompatibility","file":"pulsar-client/src/test/java/org/apache/pulsar/client/impl/schema/KeyValueSchemaInfoTest.java"},"digest":{"function_hash":"41879656616164991200770634476472743152","length":1141}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-587d833f","signature_type":"Function","target":{"function":"StringSchema","file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/StringSchema.java"},"digest":{"function_hash":"155089918150880745552197792543615814510","length":334}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-641bc174","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/ShortSchema.java"},"digest":{"line_hashes":["173921973252073399472490574782780468941","188629236832926527427245670858558067315","80994953969924009735157086318602702838","224327683799947795749586469163756910906","223392947902341791842963312428845318262","45609929462207740098455973188284382166","40171578298647580546691302351058781464"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-6fa1d6cd","signature_type":"Function","target":{"function":"of","file":"pulsar-common/src/main/java/org/apache/pulsar/common/protocol/schema/SchemaHash.java"},"digest":{"function_hash":"310618214023064577444530199257174582373","length":160}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-741cdf4a","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/BytesSchema.java"},"digest":{"line_hashes":["3550368451158942957045959901243489996","40488387483116679756825964512712329401","126145691446793687921276450658812377608","226176899966617610274800155422421887711","175444196768895269370385764477122558129","327404440552033298276681095062327000969","15509785359213199679337520762881285361"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-7f4a80b8","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/TimestampSchema.java"},"digest":{"line_hashes":["29311396335275836580929856262373154052","4561223666781330103480768978223944056","239016378221053078940674632031357236376","269702887558484044997066202965694029804","3041333082334551321277615298077230282","203967013998241243973304471319466362984","143084486555336494904577483700003804626"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-8fd389c7","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/InstantSchema.java"},"digest":{"line_hashes":["338361885345763445709478690493309657990","324585654042017068978504798013901387405","324497059498587605308030230236359612304","92304713238920247309581469936003604092","40672287504663965195059196469124547213","32664629553111898619402857931896618471","24016568623777189819736974305756358813"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1","signature_version":"v1","id":"CVE-2022-33684-92d1ae86","signature_type":"Line","target":{"file":"pulsar-client-cpp/lib/auth/AuthOauth2.cc"},"digest":{"line_hashes":["138731027338807742257602544720899196755","74687474208210138331018143514760494178","127537404541661293760255813251277450694","269130058048547313450032167743061572422","160586998600921754464278051758511912165","138731027338807742257602544720899196755","74687474208210138331018143514760494178","307704974728367209802353624848416088758","101532560577043034689871438614523044420","109557709976533886429298576965339903191"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-a7e58b7f","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/LongSchema.java"},"digest":{"line_hashes":["300646466695263024766569024276099672064","332855433915108934129011848773650524136","278920905453463693394932896476443542643","37956982409717231863070132443455801128","98436538966171292224398737315615845578","186313324894715005408598167632707686512","9989635197443107660359210263074937521"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-b2004091","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/StringSchema.java"},"digest":{"line_hashes":["54386751179809298014036866544686552040","155798236399447765846522232726727390439","73945242960790460339404245070414884932","303913908719548070531111321549824325138","196442363588080939550117066918738294985","271295864538595238012801760650133741059","146995131704884991225931772841962259437","11765614865848539969968637757772411472","245715569461318128576773840242290939656","280361252316349606556250860925292992453","176248012701218503205100584826194191306","230674315526864500628793867478577170181","267832625422603189142028041731086520937","252010214965098933450856741225071633920","25579971442249193866207765972841019001"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-b93ff254","signature_type":"Function","target":{"function":"getBackwardsCompatibleJsonSchemaInfo","file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/JSONSchema.java"},"digest":{"function_hash":"233422735996039502679761649205440411299","length":377}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-c4ee0329","signature_type":"Function","target":{"function":"of","file":"pulsar-common/src/main/java/org/apache/pulsar/common/protocol/schema/SchemaHash.java"},"digest":{"function_hash":"253127030710633275585108919658404301118","length":113}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-c739609f","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/ByteBufSchema.java"},"digest":{"line_hashes":["2214001320001706742593548328735346671","93994818873642335796345882042841837507","102905945607352376896406212193571055663","110537433209919753669249123834306310784","88679948071732026791343512316955340281","60891684986799526212323251146550914655","211380895037350136293034086579544028686"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-c9713fd8","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/BooleanSchema.java"},"digest":{"line_hashes":["286376402395346228425660414146513662593","201520332019518189713657082646049959638","198305003114763218071063617230708801167","98213733492334618258808170867373950852","45574613170533884841734430210498502384","139862616851057568901963208454687747882","209066395712149736724889277169089108407"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-cb450855","signature_type":"Function","target":{"function":"testSchemaInfoWithoutCharset","file":"pulsar-client/src/test/java/org/apache/pulsar/client/impl/schema/StringSchemaTest.java"},"digest":{"function_hash":"289571536544094363805732126295682527736","length":571}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-d2328d58","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/LocalDateTimeSchema.java"},"digest":{"line_hashes":["311801590956738910426044384590485147843","15893985723702085436172855631676869315","181022124695410520012112002636109620554","139110559170590153475560324029840041118","294917011855115463126748243790625565997","130389256772894967574029395242928494485","58206813073819131856549758035182151988"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-d390dd4e","signature_type":"Line","target":{"file":"pulsar-client/src/test/java/org/apache/pulsar/client/impl/schema/KeyValueSchemaInfoTest.java"},"digest":{"line_hashes":["307555940891448568381444559365381466065","193438137339325054515654378359371745091","17076774025589795068763669857262956890","210350618997398849701971773191133193291","167264735982602582682935204607591034010","92251710512279851841865201188922475637","253555044445731315537783846990757163560","154322537707652574845240009075974617586"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-d91b6585","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/TimeSchema.java"},"digest":{"line_hashes":["313609194580671396019735320756767094126","24041352642897339881792222969511003947","57094093102388034798866917704875634190","305770437207041507145025908420764684922","70485450554102777417385042498659625654","49436454077293381892912104156391104451","339853980130644035392414866258025394156"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1","signature_version":"v1","id":"CVE-2022-33684-df50935f","signature_type":"Function","target":{"function":"ClientCredentialFlow::initialize","file":"pulsar-client-cpp/lib/auth/AuthOauth2.cc"},"digest":{"function_hash":"251125620373411933348266831728513899338","length":1666}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-e53231f0","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/LocalTimeSchema.java"},"digest":{"line_hashes":["284731129239960782296491607194396203931","260025633113664689957439581084461080674","102073473801019958763573167279359656465","166197474186238157100361150215111938321","122993692529319133333859883619966853865","239529634889085679792156655661134930773","211926365071568993196502428092826579235"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-e7720b3f","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/MessageImpl.java"},"digest":{"line_hashes":["274004388663504078949970942858735283931","314883020568634604416842713477091597697","26521325820873070186888439330451043417","107968624234378705782691459118453590110"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/apache/pulsar/commit/11b5df797b2e9cb48dfc38137f0b7ef736a8a47c","signature_version":"v1","id":"CVE-2022-33684-e8850dd1","signature_type":"Line","target":{"file":"pulsar-client/src/main/java/org/apache/pulsar/client/impl/schema/JSONSchema.java"},"digest":{"line_hashes":["309323082950500187681662576481401526322","53435082097265321736072033310910817663","239606112394399078693229675483968704172","328307857566290917374559631679446460886","273068119362974291505722253395240511566","310523767658556454213764167037018715484","187409829798384227400225184662847726543","68668681917118308340772636169261951838"],"threshold":0.9}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-33684.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}