VDB
CVE-2019-0223
CVE-2019-0223
PUBLISHED
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.
EPSS 0.40% · 61.0th percentile
Risk Scores
EPSS Score
0.40%
61.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | qpid-proton | 0.14.0-5.1, 0.14.0-5.1ubuntu1, 0 |
| Ubuntu:16.04:LTS | qpid-proton | 0, 0.10-2, 0.7-2 |
Exploit Intelligence
- [qpid-dev] 20190423 [jira] [Updated] (PROTON-2014) [CVE-2019-0223] TLS Man in the Middle Vulnerability (circl)
- [qpid-dev] 20190423 [SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability (circl)
- [oss-security] 20190423 [SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability (circl)
- [announce] 20190423 [SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability (circl)
- [SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability (circl)
- https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel (circl)
- qpid-commits] 20190423 [qpid-site] branch asf-site updated: update site content for CVE-2019-0223 (circl)
- 108044 (circl)
- RHSA-2019:0886 (circl)
- RHSA-2019:1399 (circl)
…and 8 more exploits
Timeline
- Apr 23, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-0223 third-party-advisory
- https://issues.apache.org/jira/browse/PROTON-2014 third-party-advisory
- https://qpid.apache.org/cves/CVE-2019-0223.html third-party-advisory
- https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=97c7733 third-party-advisory
- https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=159fac1 third-party-advisory
- https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=4aea0fd third-party-advisory
- https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2d3ba8a third-party-advisory
- http://www.openwall.com/lists/oss-security/2019/04/23/4 third-party-advisory
- https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel third-party-advisory
- https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E third-party-advisory
- https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E third-party-advisory
- https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E third-party-advisory
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E third-party-advisory
- https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-0223 third-party-advisory