Improper Certificate Validation in Twisted Web - CVE-2019-12855
Published: June 16, 2019 / Updated: August 3, 2020
Vulnerability identifier: #VU33150
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-12855
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Twisted Matrix Labs
Affected software:
Twisted Web
Twisted Web
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
How to mitigate CVE-2019-12855
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html
- https://github.com/twisted/twisted/pull/1147
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/
- https://twistedmatrix.com/trac/ticket/9561
- https://usn.ubuntu.com/4308-1/
- https://usn.ubuntu.com/4308-2/
- https://www.oracle.com/security-alerts/cpuapr2020.html