mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
117 lines
5.0 KiB
JSON
117 lines
5.0 KiB
JSON
{
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"data_version": "4.0",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2019-0223",
|
|
"ASSIGNER": "security@apache.org",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Apache Software Foundation",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Apache Qpid Proton",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "0.9 to 0.27.0"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Man-in-the-middle Attack"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[qpid-dev] 20190423 [jira] [Updated] (PROTON-2014) [CVE-2019-0223] TLS Man in the Middle Vulnerability",
|
|
"url": "https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[qpid-dev] 20190423 [SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability",
|
|
"url": "https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[oss-security] 20190423 [SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability",
|
|
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/4"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[announce] 20190423 [SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability",
|
|
"url": "https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability",
|
|
"url": "https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MISC",
|
|
"name": "https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel",
|
|
"url": "https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "qpid-commits] 20190423 [qpid-site] branch asf-site updated: update site content for CVE-2019-0223",
|
|
"url": "https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "BID",
|
|
"name": "108044",
|
|
"url": "http://www.securityfocus.com/bid/108044"
|
|
},
|
|
{
|
|
"refsource": "REDHAT",
|
|
"name": "RHSA-2019:0886",
|
|
"url": "https://access.redhat.com/errata/RHSA-2019:0886"
|
|
},
|
|
{
|
|
"refsource": "REDHAT",
|
|
"name": "RHSA-2019:1399",
|
|
"url": "https://access.redhat.com/errata/RHSA-2019:1399"
|
|
},
|
|
{
|
|
"refsource": "REDHAT",
|
|
"name": "RHSA-2019:1400",
|
|
"url": "https://access.redhat.com/errata/RHSA-2019:1400"
|
|
},
|
|
{
|
|
"refsource": "REDHAT",
|
|
"name": "RHSA-2019:1398",
|
|
"url": "https://access.redhat.com/errata/RHSA-2019:1398"
|
|
}
|
|
]
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic."
|
|
}
|
|
]
|
|
}
|
|
} |