CVE-2019-12855

EUVD-2019-0147
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Affected Products (NVD)
VendorProductVersion
twistedtwisted
𝑥
≤ 19.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
twisted
bookworm
22.4.0-4
fixed
bookworm (security)
22.4.0-4+deb12u1
fixed
bullseye
20.3.0-7+deb11u1
fixed
jessie
no-dsa
sid
24.10.0-1
fixed
stretch
no-dsa
trixie
24.7.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
twisted
bionic
Fixed 17.9.0-2ubuntu0.1
released
cosmic
ignored
disco
ignored
eoan
Fixed 18.9.0-3ubuntu1.1
released
trusty
Fixed 13.2.0-1ubuntu1.2+esm1
released
xenial
Fixed 16.0.0-1ubuntu0.4
released
twisted-py3
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html
https://github.com/twisted/twisted/pull/1147
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/
https://twistedmatrix.com/trac/ticket/9561
https://usn.ubuntu.com/4308-1/
https://usn.ubuntu.com/4308-2/
https://www.oracle.com/security-alerts/cpuapr2020.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html
https://github.com/twisted/twisted/pull/1147
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/
https://twistedmatrix.com/trac/ticket/9561
https://usn.ubuntu.com/4308-1/
https://usn.ubuntu.com/4308-2/
https://www.oracle.com/security-alerts/cpuapr2020.html