CVE-2019-12855
published 2019-06-16CVE-2019-12855: In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM…
PriorityP338high7.4CVSS 3.0
AVNACHPRNUINSUCHIHAN
EPSS
1.82%
76.0th percentile
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | twisted | < twisted 18.9.0-7 (bookworm) | twisted 18.9.0-7 (bookworm) |
| msrc | cbl2_python-twisted_22.2.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_python-twisted_20.3.0-1_on_cbl_mariner_1.0 | — | — |
| twisted | twisted | <= 19.2.1 | — |
| twisted | twisted | >= 0 < 18.9.0-7 | 18.9.0-7 |
| twisted | twisted | >= 0 < 18.9.0-7 | 18.9.0-7 |
| twisted | twisted | >= 0 < 18.9.0-7 | 18.9.0-7 |
| twisted | twisted | >= 0 < 18.9.0-7 | 18.9.0-7 |
| twisted | twisted | >= 0 < 19.7.0rc1 | 19.7.0rc1 |
| twisted | twisted | >= 0 < 16.0.0-1ubuntu0.4 | 16.0.0-1ubuntu0.4 |
| twisted | twisted | >= 0 < 17.9.0-2ubuntu0.1 | 17.9.0-2ubuntu0.1 |
| twisted | twisted | >= 0 < 13.2.0-1ubuntu1.2+esm1 | 13.2.0-1ubuntu1.2+esm1 |
CVSS provenance
nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv7.4HIGH
vendor_debian7.4HIGH
vendor_msrc7.4HIGH
vendor_redhat7.4HIGH
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
twisted vulnerabilities
osv·2020-03-30·CVSS 6.1
CVE-2019-12387 [MEDIUM] twisted vulnerabilities
twisted vulnerabilities
USN-4308-1 fixed several vulnerabilities in Twisted. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
it was discovered that Twisted incorrectly validated or sanitized certain
URIs or HTTP methods. A remote attacker could use this issue to inject
invalid characters and possibly perform header injection attacks.
(CVE-2019-12387)
It was discovered that Twisted incorrectly verified XMPP TLS certificates.
A remote attacker could possibly use this issue to perform a
machine-in-the-middle attack and obtain sensitive information. (CVE-2019-12855)
Jake Miller and ZeddYu Lu discovered that Twisted incorrectly handled
certain content-length headers. A remote attacker could possibly use this
issue to perform HTTP request split
OSV
twisted vulnerabilities
osv·2020-03-19·CVSS 6.1
CVE-2019-12387 [MEDIUM] twisted vulnerabilities
twisted vulnerabilities
it was discovered that Twisted incorrectly validated or sanitized certain
URIs or HTTP methods. A remote attacker could use this issue to inject
invalid characters and possibly perform header injection attacks.
(CVE-2019-12387)
It was discovered that Twisted incorrectly verified XMPP TLS certificates.
A remote attacker could possibly use this issue to perform a
machine-in-the-middle attack and obtain sensitive information. (CVE-2019-12855)
It was discovered that Twisted incorrectly handled HTTP/2 connections. A
remote attacker could possibly use this issue to cause Twisted to hang or
consume resources, leading to a denial of service. This issue only affected
Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-9512, CVE-2019-9514,
CVE-2019-9515)
Jake Miller and ZeddYu L
OSV
Improper Certificate Validation in Twisted
osv·2019-08-16
CVE-2019-12855 [CRITICAL] Improper Certificate Validation in Twisted
Improper Certificate Validation in Twisted
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
GHSA
Improper Certificate Validation in Twisted
ghsa·2019-08-16
CVE-2019-12855 [CRITICAL] CWE-295 Improper Certificate Validation in Twisted
Improper Certificate Validation in Twisted
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
OSV
CVE-2019-12855: In words
osv·2019-06-16·CVSS 7.4
CVE-2019-12855 [HIGH] CVE-2019-12855: In words
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
Ubuntu
Twisted vulnerabilities
vendor_ubuntu·2020-03-30·CVSS 6.1
CVE-2019-12387 [MEDIUM] Twisted vulnerabilities
Title: Twisted vulnerabilities
Summary: Several security issues were fixed in Twisted.
USN-4308-1 fixed several vulnerabilities in Twisted. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
it was discovered that Twisted incorrectly validated or sanitized certain
URIs or HTTP methods. A remote attacker could use this issue to inject
invalid characters and possibly perform header injection attacks.
(CVE-2019-12387)
It was discovered that Twisted incorrectly verified XMPP TLS certificates.
A remote attacker could possibly use this issue to perform a
machine-in-the-middle attack and obtain sensitive information. (CVE-2019-12855)
Jake Miller and ZeddYu Lu discovered that Twisted incorrectly handled
certain content-length headers. A remote atta
Ubuntu
Twisted vulnerabilities
vendor_ubuntu·2020-03-19·CVSS 6.1
CVE-2019-12387 [MEDIUM] Twisted vulnerabilities
Title: Twisted vulnerabilities
Summary: Several security issues were fixed in Twisted.
it was discovered that Twisted incorrectly validated or sanitized certain
URIs or HTTP methods. A remote attacker could use this issue to inject
invalid characters and possibly perform header injection attacks.
(CVE-2019-12387)
It was discovered that Twisted incorrectly verified XMPP TLS certificates.
A remote attacker could possibly use this issue to perform a
machine-in-the-middle attack and obtain sensitive information. (CVE-2019-12855)
It was discovered that Twisted incorrectly handled HTTP/2 connections. A
remote attacker could possibly use this issue to cause Twisted to hang or
consume resources, leading to a denial of service. This issue only affected
Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-20
Red Hat
python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections
vendor_redhat·2019-07-09·CVSS 7.4
CVE-2019-12855 [HIGH] CWE-295 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections
python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
Statement: * This issue affects the version of calamari-server(embeds python-twisted) as shipped with Red Hat Ceph Storage 2 as it does not check for TLS certificate.
* This issue did not affect the versions of python-twisted-core as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and 3 as it does not ship XMPP XML Stream bits.
This issue affects the versions of python-twisted-words as shipped with Red Hat Enterprise Linux 6 and 7.
Red Hat Enterprise Linux 6 is now in Mainten
Microsoft
In words.protocols.jabber.xmlstream in Twisted through 19.2.1 XMPP support did not verify certificates when used with TLS allowing an attacker to MITM connections.
vendor_msrc·2019-06-11·CVSS 7.4
CVE-2019-12855 [HIGH] CWE-295 In words.protocols.jabber.xmlstream in Twisted through 19.2.1 XMPP support did not verify certificates when used with TLS allowing an attacker to MITM connections.
In words.protocols.jabber.xmlstream in Twisted through 19.2.1 XMPP support did not verify certificates when used with TLS allowing an attacker to MITM connections.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Marin
Debian
CVE-2019-12855: twisted - In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did ...
vendor_debian·2019·CVSS 7.4
CVE-2019-12855 [HIGH] CVE-2019-12855: twisted - In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did ...
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
Scope: local
bookworm: resolved (fixed in 18.9.0-7)
bullseye: resolved (fixed in 18.9.0-7)
forky: resolved (fixed in 18.9.0-7)
sid: resolved (fixed in 18.9.0-7)
trixie: resolved (fixed in 18.9.0-7)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-12855 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections [openstack-rdo]
bugzilla·2019-08-13·CVSS 7.4
CVE-2019-12855 [HIGH] CVE-2019-12855 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections [openstack-rdo]
CVE-2019-12855 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM c
Bugzilla
CVE-2019-12855 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections
bugzilla·2019-07-09·CVSS 7.4
CVE-2019-12855 [HIGH] CVE-2019-12855 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections
CVE-2019-12855 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
Upstream Issue:
https://github.com/twisted/twisted/pull/1147
Discussion:
Created python-twisted tracking bugs for this issue:
Affects: fedora-all [bug 1728207]
---
Marian, this seems a tad tricky to reproduce. Could you help to verify a fix?
---
https://src.fedoraproject.org/rpms/python-twisted/pull-request/8
https://koji.fedoraproject.org/koji/taskinfo?taskID=36150395
---
Sorry for the delay. I see you already have the fix?
---
I have a fix, but I don't know how
Bugzilla
CVE-2019-12855 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections [fedora-all]
bugzilla·2019-07-09·CVSS 7.4
CVE-2019-12855 [HIGH] CVE-2019-12855 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections [fedora-all]
CVE-2019-12855 python-twisted: XMPP support in words.protocols.jabber.xmlstream in Twisted does not verify certificates allowing for a MITM connections [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changel
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.htmlhttps://github.com/twisted/twisted/pull/1147https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/https://twistedmatrix.com/trac/ticket/9561https://usn.ubuntu.com/4308-1/https://usn.ubuntu.com/4308-2/https://www.oracle.com/security-alerts/cpuapr2020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.htmlhttps://github.com/twisted/twisted/pull/1147https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/https://twistedmatrix.com/trac/ticket/9561https://usn.ubuntu.com/4308-1/https://usn.ubuntu.com/4308-2/https://www.oracle.com/security-alerts/cpuapr2020.html
2019-06-16
Published