ghsa-5h6x-m52p-23ph
Vulnerability from github
Published
2022-05-24 16:44
Modified
2025-07-01 21:15
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Withdrawn Advisory: Improper Certificate Validation in Apache Qpid Proton
Details

Withdrawn Advisory

This advisory has been withdrawn because the vulnerability only affects the Qpid Proton C library and not org.apache.qpid:proton-j. This link has been maintained to preserve external references.

Original Description

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.qpid:proton-j"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9"
            },
            {
              "fixed": "0.27.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-0223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-02T00:05:42Z",
    "nvd_published_at": "2019-04-23T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the vulnerability only affects the **Qpid Proton C library** and not `org.apache.qpid:proton-j`. This link has been maintained to preserve external references.\n\n## Original Description\n\nWhile investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.",
  "id": "GHSA-5h6x-m52p-23ph",
  "modified": "2025-07-01T21:15:27Z",
  "published": "2022-05-24T16:44:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0223"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/04/23/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108044"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn Advisory: Improper Certificate Validation in Apache Qpid Proton",
  "withdrawn": "2025-07-01T21:15:27Z"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.