CVE-2019-12855 - OpenCVE

In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Twistedmatrix	Twisted

Configuration 1 [-]

cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html
https://github.com/twisted/twisted/pull/1147
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/
https://nvd.nist.gov/vuln/detail/CVE-2019-12855
https://twistedmatrix.com/trac/ticket/9561
https://usn.ubuntu.com/4308-1/
https://usn.ubuntu.com/4308-2/
https://www.cve.org/CVERecord?id=CVE-2019-12855
https://www.oracle.com/security-alerts/cpuapr2020.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-16T11:11:43

Updated: 2024-08-04T23:32:55.450Z

Reserved: 2019-06-16T00:00:00

Link: CVE-2019-12855

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-06-16T12:29:00.227

Modified: 2023-11-07T03:03:42.780

Link: CVE-2019-12855

Redhat

Severity : Moderate

Publid Date: 2019-07-09T00:00:00Z

Links: CVE-2019-12855 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-15T21:06:51", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://twistedmatrix.com/trac/ticket/9561"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/twisted/twisted/pull/1147"}, {"name": "FEDORA-2019-d480909528", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/"}, {"name": "openSUSE-SU-2019:2068", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html"}, {"name": "openSUSE-SU-2019:2110", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html"}, {"name": "USN-4308-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4308-2/"}, {"name": "USN-4308-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4308-1/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12855", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://twistedmatrix.com/trac/ticket/9561", "refsource": "MISC", "url": "https://twistedmatrix.com/trac/ticket/9561"}, {"name": "https://github.com/twisted/twisted/pull/1147", "refsource": "MISC", "url": "https://github.com/twisted/twisted/pull/1147"}, {"name": "FEDORA-2019-d480909528", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/"}, {"name": "openSUSE-SU-2019:2068", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html"}, {"name": "openSUSE-SU-2019:2110", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html"}, {"name": "USN-4308-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4308-2/"}, {"name": "USN-4308-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4308-1/"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:32:55.450Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twistedmatrix.com/trac/ticket/9561"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/twisted/twisted/pull/1147"}, {"name": "FEDORA-2019-d480909528", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/"}, {"name": "openSUSE-SU-2019:2068", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html"}, {"name": "openSUSE-SU-2019:2110", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html"}, {"name": "USN-4308-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4308-2/"}, {"name": "USN-4308-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4308-1/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12855", "datePublished": "2019-06-16T11:11:43", "dateReserved": "2019-06-16T00:00:00", "dateUpdated": "2024-08-04T23:32:55.450Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:*", "matchCriteriaId": "B70A4945-1C66-41BB-BA53-04C6366081F5", "versionEndIncluding": "19.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections."}, {"lang": "es", "value": "La vulnerabilidad de tipo cross-site-scripting (XSS) en el servlet ctcprotocol/Protocol en SAP NetWeaver AS JAVA versi\u00f3n 7.3 permite a los atacantes remotos inyectar scripts web arbitrarios o HTML por medio del par\u00e1metro sessionID, tambi\u00e9n se conoce como Nota de Seguridad de SAP 2406783."}], "id": "CVE-2019-12855", "lastModified": "2023-11-07T03:03:42.780", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-16T12:29:00.227", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/twisted/twisted/pull/1147"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://twistedmatrix.com/trac/ticket/9561"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4308-1/"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4308-2/"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections", "id": "1728206", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1728206"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections."], "name": "CVE-2019-12855", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Affected", "package_name": "calamari-server", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Not affected", "package_name": "python-twisted-core", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "python-twisted-core", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python-twisted-words", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "python-twisted-words", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "impact": "low", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "low", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Out of support scope", "impact": "low", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "impact": "low", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}, {"cpe": "cpe:/a:redhat:openstack-optools:9", "fix_state": "Will not fix", "impact": "low", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 9 (Mitaka) Operational Tools"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "python-twisted-core", "product_name": "Red Hat Storage 3"}], "public_date": "2019-07-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-12855\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-12855"], "statement": "* This issue affects the version of calamari-server(embeds python-twisted) as shipped with Red Hat Ceph Storage 2 as it does not check for TLS certificate.\n* This issue did not affect the versions of python-twisted-core as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and 3 as it does not ship XMPP XML Stream bits.\nThis issue affects the versions of python-twisted-words as shipped with Red Hat Enterprise Linux 6 and 7.\nRed Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.\nRed Hat OpenStack Platform: \n* This flaw depends on the use of the XMPP protocol, which is not used in Red Hat OpenStack Platform. Although updating is recommended for affected versions, Red Hat OpenStack Platform environments are not vulnerable. Because of this and the lower product impact, no fixes will be issued for any Red Hat OpenStack Platform version at this time.\n* Because the flaw's impact is Low, it will not be fixed in Red Hat OpenStack Platform 9 which will retire shortly after the public date.", "threat_severity": "Moderate"}