Home

CVE-2019-0223

Description

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Risk Information

Base Score
7.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.399

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-0223 are fixed in Apache-proton-j 0.27.1Windows
(RHSA-2019:2780) qpid-proton security update python-qpid-proton-0.16.0-14.el6sat.i686.rpmLinux
(RHSA-2019:2780) qpid-proton security update python-qpid-proton-0.16.0-14.el6sat.x86_64.rpmLinux
(RHSA-2019:2780) qpid-proton security update python-qpid-proton-0.28.0-1.el7.x86_64.rpmLinux
(RHSA-2019:2780) qpid-proton security update python-qpid-proton-0.9-22.el5.i386.rpmLinux
(RHSA-2019:2780) qpid-proton security update python-qpid-proton-0.9-22.el5.x86_64.rpmLinux
(RHSA-2019:2780) qpid-proton security update python3-qpid-proton-0.28.0-1.el8.x86_64.rpmLinux
(RHSA-2019:2780) qpid-proton security update qpid-proton-c-0.16.0-14.el6sat.i686.rpmLinux
(RHSA-2019:2780) qpid-proton security update qpid-proton-c-0.16.0-14.el6sat.x86_64.rpmLinux
(RHSA-2019:2780) qpid-proton security update qpid-proton-c-0.28.0-1.el7.x86_64.rpmLinux
(RHSA-2019:2780) qpid-proton security update qpid-proton-c-0.28.0-1.el8.x86_64.rpmLinux
(RHSA-2019:2780) qpid-proton security update qpid-proton-c-0.9-22.el5.i386.rpmLinux
(RHSA-2019:2780) qpid-proton security update qpid-proton-c-0.9-22.el5.x86_64.rpmLinux
(RHSA-2019:2780) qpid-proton security update qpid-proton-debugsource-0.28.0-1.el8.x86_64.rpmLinux
Vulnerabilities CVE-2019-0223 are fixed in Apache-proton-j for Linux 0.27.1Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234