7.4

CVE-2019-0223

EPSS 0.53%
Veröffentlicht 23.04.2019 16:29:00
Zuletzt bearbeitet 21.11.2024 04:16:31
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 0 Referenzen 21

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Qpid Version >= 0.9 <= 0.27.0

Redhat ≫ Jboss Amq Clients 2 Version-

Redhat ≫ Linux Version6.0
Redhat ≫ Linux Version7.0

Redhat ≫ Openstack Version13

Redhat ≫ Openstack Version14

Redhat ≫ Satellite Version6.3

Redhat ≫ Satellite Version6.4

Redhat ≫ Satellite Version6.5

Redhat ≫ Enterprise Linux Desktop Version6.0

Redhat ≫ Enterprise Linux Desktop Version7.0

Redhat ≫ Enterprise Linux Eus Version6.7

Redhat ≫ Enterprise Linux Eus Version7.2

Redhat ≫ Enterprise Linux Eus Version7.3

Redhat ≫ Enterprise Linux Eus Version7.4

Redhat ≫ Enterprise Linux Eus Version7.5

Redhat ≫ Enterprise Linux Eus Version7.6

Redhat ≫ Enterprise Linux Server Version6.0

Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Enterprise Linux Server Aus Version5.9

Redhat ≫ Enterprise Linux Server Aus Version6.4

Redhat ≫ Enterprise Linux Server Aus Version6.5

Redhat ≫ Enterprise Linux Server Aus Version6.6

Redhat ≫ Enterprise Linux Server Aus Version7.2

Redhat ≫ Enterprise Linux Server Aus Version7.3

Redhat ≫ Enterprise Linux Server Aus Version7.4

Redhat ≫ Enterprise Linux Server Aus Version7.6

Redhat ≫ Enterprise Linux Server Tus Version7.2

Redhat ≫ Enterprise Linux Server Tus Version7.3

Redhat ≫ Enterprise Linux Server Tus Version7.4

Redhat ≫ Enterprise Linux Server Tus Version7.6

Redhat ≫ Enterprise Linux Workstation Version6.0

Redhat ≫ Enterprise Linux Workstation Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.53%	0.663

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N

https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

http://www.openwall.com/lists/oss-security/2019/04/23/4

Third Party Advisory

Mailing List

http://www.securityfocus.com/bid/108044

Broken Link

https://access.redhat.com/errata/RHSA-2019:0886

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1398

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1399

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1400

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2777

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2778

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2779

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2780

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2781

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2782

Third Party Advisory

https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

Vendor Advisory

Issue Tracking

https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f%40%3Cusers.qpid.apache.org%3E

https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5%40%3Cdev.qpid.apache.org%3E

https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b%40%3Cdev.qpid.apache.org%3E

https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0%40%3Cannounce.apache.org%3E

https://nvd.nist.gov/vuln/detail/CVE-2019-0223

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-0223

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-0223

EUVD