Home > Vulnerability Database > CVE-2019-0223

Mend.io Vulnerability Database

CVE-2019-0223

Good to know:

Date: April 23, 2019

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Language: C

Severity Score

7.4

Related Resources (21)

Url: https://access.redhat.com/errata/RHSA-2019:1398

Url: http://www.openwall.com/lists/oss-security/2019/04/23/4

Url: https://access.redhat.com/errata/RHSA-2019:2782

Url: https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:2781

Url: https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:2777

Url: https://access.redhat.com/errata/RHSA-2019:1400

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-0223

Url: https://access.redhat.com/errata/RHSA-2019:1399

Url: https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E

Url: https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E

Url: https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

Url: http://www.securityfocus.com/bid/108044

Url: https://access.redhat.com/errata/RHSA-2019:2780

Url: https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E

Url: https://security-tracker.debian.org/tracker/CVE-2019-0223

Url: https://access.redhat.com/errata/RHSA-2019:0886

Url: https://access.redhat.com/errata/RHSA-2019:2779

Url: https://access.redhat.com/errata/RHSA-2019:2778

Url: https://www.mend.io/vulnerability-database/CVE-2019-0223

Severity Score

7.4

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version 0.27.1-rc1

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-0223

Good to know:

Date: April 23, 2019

Language: C

Severity Score

Related Resources (21)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?