Home > Vulnerability Database > CVE-2019-0223

Mend.io Vulnerability Database

CVE-2019-0223

Good to know:

Date: April 23, 2019

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Language: C

Severity Score

7.4

Related Resources (25)

Url: https://access.redhat.com/errata/RHSA-2019:1398

Url: http://www.openwall.com/lists/oss-security/2019/04/23/4

Url: https://access.redhat.com/errata/RHSA-2019:2782

Url: https://access.redhat.com/errata/RHSA-2019:2781

Url: https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E

Url: https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b%40%3Cdev.qpid.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:2777

Url: https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E

Url: https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f%40%3Cusers.qpid.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:1400

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-0223

Url: https://access.redhat.com/errata/RHSA-2019:1399

Url: https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E

Url: https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E

Url: https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

Url: https://access.redhat.com/errata/RHSA-2019:2780

Url: http://www.securityfocus.com/bid/108044

Url: https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E

Url: https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0%40%3Cannounce.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:2779

Url: https://access.redhat.com/errata/RHSA-2019:0886

Url: https://access.redhat.com/errata/RHSA-2019:2778

Url: https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5%40%3Cdev.qpid.apache.org%3E

Url: https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Url: https://www.mend.io/vulnerability-database/CVE-2019-0223

Severity Score

7.4

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version org.apache.qpid:proton-j:0.27.1

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-0223

Good to know:

Date: April 23, 2019

Language: C

Severity Score

Related Resources (25)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?