GHSA-5h6x-m52p-23ph

Suggest an improvement
Source
https://github.com/advisories/GHSA-5h6x-m52p-23ph
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h6x-m52p-23ph/GHSA-5h6x-m52p-23ph.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5h6x-m52p-23ph
Aliases
Published
2022-05-24T16:44:10Z
Modified
2023-11-08T04:00:31.909589Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Improper Certificate Validation in Apache Qpid Proton
Details

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Database specific
{
    "nvd_published_at": "2019-04-23T16:29:00Z",
    "github_reviewed_at": "2022-11-02T00:05:42Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ]
}
References

Affected packages

Maven / org.apache.qpid:proton-j

Package

Name
org.apache.qpid:proton-j
View open source insights on deps.dev
Purl
pkg:maven/org.apache.qpid/proton-j

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.9
Fixed
0.27.1

Affected versions

0.*

0.9
0.9.1
0.10
0.11.0
0.11.1
0.12.0
0.12.1
0.12.2
0.13.0
0.13.1
0.14.0
0.15.0
0.16.0
0.17.0
0.18.0
0.19.0
0.20.0
0.21.0
0.22.0
0.23.0
0.24.0
0.25.0
0.26.0
0.27.0