#VU33150 Improper Certificate Validation in Twisted Web - CVE-2019-12855
Published: June 16, 2019 / Updated: August 3, 2020
Vulnerability identifier: #VU33150
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-12855
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Twisted Web
Twisted Web
Software vendor:
Twisted Matrix Labs
Twisted Matrix Labs
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html
- https://github.com/twisted/twisted/pull/1147
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/
- https://twistedmatrix.com/trac/ticket/9561
- https://usn.ubuntu.com/4308-1/
- https://usn.ubuntu.com/4308-2/
- https://www.oracle.com/security-alerts/cpuapr2020.html