Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS01aDZ4LW01MnAtMjNwaM4AAggM

Improper Certificate Validation in Apache Qpid Proton

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Permalink: https://github.com/advisories/GHSA-5h6x-m52p-23ph
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01aDZ4LW01MnAtMjNwaM4AAggM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago

CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-5h6x-m52p-23ph, CVE-2019-0223
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-0223
• https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
• https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E
• https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E
• https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E
• https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E
• https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E
• http://www.openwall.com/lists/oss-security/2019/04/23/4
• http://www.securityfocus.com/bid/108044
• https://github.com/advisories/GHSA-5h6x-m52p-23ph

Blast Radius: 20.2

Affected Packages