Fluid Attacks Database

Description

Improper Certificate Validation in Twisted In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	twisted	>=0 <19.7.0rc1	19.7.0rc1
debian 11	twisted	>=0 <18.9.0-7	18.9.0-7
debian 13	twisted	>=0 <18.9.0-7	18.9.0-7
debian 12	twisted	>=0 <18.9.0-7	18.9.0-7
debian 14	twisted	>=0 <18.9.0-7	18.9.0-7
rpm rhel6	python-twisted-words	-	-
rpm rhel7	python-twisted-words	-	-

Aliases

1. CVE-2019-128552. NVD-2019-128553. OSV-2019-128554. OSV-DEBIAN-2019-128555. GCVE-2019-128556. SECURITY-TRACKER-CVE-2019-12855

References

1. https://github.com/twisted/twisted/pull/11472. https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2019-129.yaml3. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ4. https://lists.fedoraproject.org/archives/list/[email protected]/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ5. https://twistedmatrix.com/trac/ticket/95616. https://usn.ubuntu.com/4308-17. https://usn.ubuntu.com/4308-28. https://www.oracle.com/security-alerts/cpuapr2020.html9. http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.html10. http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.