7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
58.3%
While investigating bug PROTON-2014, we discovered that under some
circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its
language bindings) can connect to a peer anonymously using TLS even when
configured to verify the peer certificate while used with OpenSSL versions
before 1.1.0. This means that an undetected man in the middle attack could
be constructed if an attacker can arrange to intercept TLS traffic.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | qpid-proton | < any | UNKNOWN |
ubuntu | 16.04 | noarch | qpid-proton | < any | UNKNOWN |
www.openwall.com/lists/oss-security/2019/04/23/4
gitbox.apache.org/repos/asf?p=qpid-proton.git;h=159fac1
gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2d3ba8a
gitbox.apache.org/repos/asf?p=qpid-proton.git;h=4aea0fd
gitbox.apache.org/repos/asf?p=qpid-proton.git;h=97c7733
issues.apache.org/jira/browse/PROTON-2014
issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
launchpad.net/bugs/cve/CVE-2019-0223
lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E
lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E
lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E
lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E
lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2019-0223
qpid.apache.org/cves/CVE-2019-0223.html
security-tracker.debian.org/tracker/CVE-2019-0223
www.cve.org/CVERecord?id=CVE-2019-0223
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
58.3%