Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJtN2ctOXE3NC05bTNx

Improper Certificate Validation in Apache Beam

The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM.

Permalink: https://github.com/advisories/GHSA-2m7g-9q74-9m3q
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJtN2ctOXE3NC05bTNx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: about 2 years ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.00103
EPSS Percentile: 0.43504

Identifiers: GHSA-2m7g-9q74-9m3q, CVE-2020-1929
References:

Repository: https://github.com/apache/beam
Blast Radius: 12.1

Affected Packages

maven:org.apache.beam:beam-sdks-java-io-mongodb

Dependent packages: 4
Dependent repositories: 41
Downloads:
Affected Version Ranges: >= 2.10.0, <= 2.16.0
Fixed in: 2.17.0
All affected versions: 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.15.0, 2.16.0
All unaffected versions: 0.4.0, 0.5.0, 0.6.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.17.0, 2.18.0, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0, 2.39.0, 2.40.0, 2.41.0, 2.42.0, 2.43.0, 2.44.0, 2.45.0, 2.46.0, 2.47.0, 2.48.0, 2.49.0, 2.50.0, 2.51.0, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.55.1, 2.56.0, 2.57.0, 2.58.0, 2.58.1, 2.59.0, 2.60.0, 2.61.0