CVE-2019-16791

EPSS 0.67%
Veröffentlicht 22.01.2020 02:15:11
Zuletzt bearbeitet 21.11.2024 04:31:11
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

downgrade of effective Strict Transport Security (STS) policy in postfix-mta-sts-resolver

In postfix-mta-sts-resolver before 0.5.1, All users can receive incorrect response from daemon under rare conditions, rendering downgrade of effective STS policy.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Postfix-mta-sts-resolver Project ≫ Postfix-mta-sts-resolver Version < 0.5.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.67%	0.471

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:N/A:P
security-advisories@github.com	6.9	0.6	5.8	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

https://gist.github.com/Snawoot/b9da85d6b26dea5460673b29df1adc6b

Patch

Third Party Advisory

https://github.com/Snawoot/postfix-mta-sts-resolver/security/advisories/GHSA-h92m-42h4-82f6

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-16791

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-16791

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-16791

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2019-16791