GHSA-5h6x-m52p-23ph

Source

https://github.com/advisories/GHSA-5h6x-m52p-23ph

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h6x-m52p-23ph/GHSA-5h6x-m52p-23ph.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5h6x-m52p-23ph

Withdrawn

2025-07-01T21:15:27Z

Published

2022-05-24T16:44:10Z

Modified

2025-07-01T21:45:11.359740Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Withdrawn Advisory: Improper Certificate Validation in Apache Qpid Proton

Details

Withdrawn Advisory

This advisory has been withdrawn because the vulnerability only affects the Qpid Proton C library and not org.apache.qpid:proton-j. This link has been maintained to preserve external references.

Original Description

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Database specific

{
    "nvd_published_at": "2019-04-23T16:29:00Z",
    "github_reviewed_at": "2022-11-02T00:05:42Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-295"
    ]
}

References

Affected packages

Maven / org.apache.qpid:proton-j

Package

Name: org.apache.qpid:proton-j; View open source insights on deps.dev
Purl: pkg:maven/org.apache.qpid/proton-j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.9

Fixed

0.27.1

Affected versions

0.*

0.9

0.9.1

0.10

0.11.0

0.11.1

0.12.0

0.12.1

0.12.2

0.13.0

0.13.1

0.14.0

0.15.0

0.16.0

0.17.0

0.18.0

0.19.0

0.20.0

0.21.0

0.22.0

0.23.0

0.24.0

0.25.0

0.26.0

0.27.0