GHSA-5h6x-m52p-23ph

Source

https://github.com/advisories/GHSA-5h6x-m52p-23ph

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h6x-m52p-23ph/GHSA-5h6x-m52p-23ph.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5h6x-m52p-23ph

Aliases

CVE-2019-0223

Published

2022-05-24T16:44:10Z

Modified

2023-11-08T04:00:31.909589Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Improper Certificate Validation in Apache Qpid Proton

Details

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

References

Affected packages

Maven / org.apache.qpid:proton-j

Package

Name: org.apache.qpid:proton-j; View open source insights on deps.dev
Purl: pkg:maven/org.apache.qpid/proton-j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.9

Fixed

0.27.1

Affected versions

0.*

0.9

0.9.1

0.10

0.11.0

0.11.1

0.12.0

0.12.1

0.12.2

0.13.0

0.13.1

0.14.0

0.15.0

0.16.0

0.17.0

0.18.0

0.19.0

0.20.0

0.21.0

0.22.0

0.23.0

0.24.0

0.25.0

0.26.0

0.27.0