Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2019-0223

Опубликовано: 23 апр. 2019
Источник: debian
EPSS Низкий

Описание

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
qpid-protonfixed0.22.0-1package
qpid-protonno-dsastretchpackage
qpid-protonignoredjessiepackage

Примечания

  • https://issues.apache.org/jira/browse/PROTON-2014

  • https://qpid.apache.org/cves/CVE-2019-0223.html

  • https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=97c7733

  • https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=159fac1

  • https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=4aea0fd

  • https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2d3ba8a

  • Source-wise only fixed in 0.27.1 upstream, but 0.22.0-1 upload in

  • unstable switched to build against OpenSSL 1.1 adressing the issue.

  • The description tells that the vulnerability was introduced in 0.9 but the

  • version in jessie (0.7) seems to be vulnerable too even though one file is

  • not present in the jessie version. That part do not seem to be essential for

  • the package to be vulnerable.

EPSS

Процентиль: 60%
0.00399
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2019-0223

CVSS3: 7.4
ubuntu
почти 7 лет назад

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

redhat логотип

CVE-2019-0223

CVSS3: 7.4
redhat
почти 7 лет назад

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

nvd логотип

CVE-2019-0223

CVSS3: 7.4
nvd
почти 7 лет назад

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

suse-cvrf логотип

SUSE-SU-2024:1074-1

suse-cvrf
почти 2 года назад

Security update for qpid-proton

github логотип

GHSA-5h6x-m52p-23ph

CVSS3: 7.4
github
больше 3 лет назад

Withdrawn Advisory: Improper Certificate Validation in Apache Qpid Proton

EPSS

Процентиль: 60%
0.00399
Низкий