CVE-2019-12855

In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Affected Products (NVD)
VendorProductVersion
twistedtwisted
𝑥
≤ 19.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
twisted
bookworm
22.4.0-4
fixed
bookworm (security)
22.4.0-4+deb12u1
fixed
bullseye
20.3.0-7+deb11u1
fixed
jessie
no-dsa
sid
24.10.0-1
fixed
stretch
no-dsa
trixie
24.7.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
twisted
bionic
Fixed 17.9.0-2ubuntu0.1
released
cosmic
ignored
disco
ignored
eoan
Fixed 18.9.0-3ubuntu1.1
released
trusty
Fixed 13.2.0-1ubuntu1.2+esm1
released
xenial
Fixed 16.0.0-1ubuntu0.4
released
twisted-py3
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
python311-Twisted
suse enterprise desktop 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise sap 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise server 15 SP6
22.10.0-150400.5.13.1
fixed
python311-Twisted-all_non_platform
suse enterprise desktop 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise sap 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise server 15 SP6
22.10.0-150400.5.13.1
fixed
python311-Twisted-conch
suse enterprise desktop 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise sap 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise server 15 SP6
22.10.0-150400.5.13.1
fixed
python311-Twisted-conch_nacl
suse enterprise desktop 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise sap 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise server 15 SP6
22.10.0-150400.5.13.1
fixed
python311-Twisted-contextvars
suse enterprise desktop 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise sap 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise server 15 SP6
22.10.0-150400.5.13.1
fixed
python311-Twisted-http2
suse enterprise desktop 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise sap 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise server 15 SP6
22.10.0-150400.5.13.1
fixed
python311-Twisted-serial
suse enterprise desktop 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise sap 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise server 15 SP6
22.10.0-150400.5.13.1
fixed
python311-Twisted-tls
suse enterprise desktop 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise sap 15 SP6
22.10.0-150400.5.13.1
fixed
suse enterprise server 15 SP6
22.10.0-150400.5.13.1
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html
https://github.com/twisted/twisted/pull/1147
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/
https://twistedmatrix.com/trac/ticket/9561
https://usn.ubuntu.com/4308-1/
https://usn.ubuntu.com/4308-2/
https://www.oracle.com/security-alerts/cpuapr2020.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html
https://github.com/twisted/twisted/pull/1147
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/
https://twistedmatrix.com/trac/ticket/9561
https://usn.ubuntu.com/4308-1/
https://usn.ubuntu.com/4308-2/
https://www.oracle.com/security-alerts/cpuapr2020.html