CVE-2019-0223

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache Qpid Proton versions 0.9 through 0.27.0

Description The issue is related to errors in the certificate authentication procedure, allowing a remote attacker to implement a man-in-the-middle attack and intercept TLS traffic by anonymously connecting to a peer node using TLS, even when configured to verify the peer certificate. This can be achieved when used with OpenSSL versions before 1.1.0.

Recommendations For Apache Qpid Proton versions 0.9 through 0.27.0, consider disabling the use of TLS anonymous connections until a patch is available. Restrict access to the TLS configuration to minimize the risk of exploitation. Avoid using OpenSSL versions before 1.1.0 with Apache Qpid Proton to reduce the vulnerability to man-in-the-middle attacks.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-300CWE-295

Related Identifiers

BDU:2019-02465

CVE-2019-0223

GHSA-5H6X-M52P-23PH

OPENSUSE-SU-2024:13808-1

RHSA-2019:0886

RHSA-2019:1398

RHSA-2019:1399

RHSA-2019:1400

RHSA-2019:2777

RHSA-2019:2778

RHSA-2019:2779

RHSA-2019:2780

RHSA-2019:2781

RHSA-2019:2782

SUSE-SU-2024:1074-1

Affected Products

Apache Qpid Proton

Openssl

CVE-2019-0223

Weakness Enumeration

Related Identifiers

Affected Products

References · 48