Vulnerability Description
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVSS Score
7.4
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Twisted | Twisted | <= 19.2.1 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html
- https://github.com/twisted/twisted/pull/1147PatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://twistedmatrix.com/trac/ticket/9561Vendor Advisory
- https://usn.ubuntu.com/4308-1/
- https://usn.ubuntu.com/4308-2/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html
- https://github.com/twisted/twisted/pull/1147PatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://twistedmatrix.com/trac/ticket/9561Vendor Advisory
- https://usn.ubuntu.com/4308-1/
- https://usn.ubuntu.com/4308-2/
FAQ
What is CVE-2019-12855?
CVE-2019-12855 is a vulnerability with a CVSS score of 7.4 (HIGH). In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
How severe is CVE-2019-12855?
CVE-2019-12855 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12855?
Check the references section above for vendor advisories and patch information. Affected products include: Twisted Twisted.