TLS Man in the Middle Vulnerability in Apache Qpid Proton
CVE-2019-0223

7.4HIGH

Key Information:

Vendor
Apache
Status
Apache Qpid Proton
Vendor
CVE Published:
23 April 2019

Summary

A TLS vulnerability in Apache Qpid Proton allows an attacker to exploit a flaw where the library might connect to a peer anonymously, bypassing the verification of the peer certificate. This issue affects versions 0.9 through 0.27.0 when used with OpenSSL versions earlier than 1.1.0, permitting a man in the middle attack if the attacker can intercept the TLS traffic. This could lead to potential data breaches or unauthorized access to sensitive information.

Affected Version(s)

Apache Qpid Proton 0.9 to 0.27.0

References

https://lists.apache.org/thread.html/49c83f0acce5ceaeffca...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/3adb2f020f705b4fd453...
mailing-listx_refsource_MLIST
http://www.openwall.com/lists/oss-security/2019/04/23/4
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.