CVE-2019-19270

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
https://github.com/proftpd/proftpd/issues/859	Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGBBCPLJSDPFG5EI5P5G7P4KEX7YSD5G/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR65XUHPCRU3NXTSFVF2J4GWRIHC7AHW/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:proftpd:proftpd::::::::
	cpe:2.3:a:proftpd:proftpd:1.3.6:-::::::
	cpe:2.3:a:proftpd:proftpd:1.3.6:alpha::::::
	cpe:2.3:a:proftpd:proftpd:1.3.6:beta::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:30:::::::*
	cpe:2.3:o:fedoraproject:fedora:31:::::::*

History

No history.

Information

Published : 2019-11-26 04:15

Updated : 2024-02-04 20:39

NVD link : CVE-2019-19270

Mitre link : CVE-2019-19270

CVE.ORG link : CVE-2019-19270

JSON object : View

Products Affected

fedoraproject

fedora

proftpd

proftpd

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2019-19270", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-11-26T04:15:12.950", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html", "source": "cve@mitre.org"}, {"url": "https://github.com/proftpd/proftpd/issues/859", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGBBCPLJSDPFG5EI5P5G7P4KEX7YSD5G/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR65XUHPCRU3NXTSFVF2J4GWRIHC7AHW/", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server."}, {"lang": "es", "value": "Se detect\u00f3 un problema en la funci\u00f3n tls_verify_crl en ProFTPD versiones hasta 1.3.6b. Un fallo en la comprobaci\u00f3n del campo apropiado de una entrada de CRL (verificando dos veces por tema, en lugar de una vez por tema y una vez por emisor), impide tener en cuenta algunas CRL v\u00e1lidas y puede permitir que clientes cuyos certificados han sido revocados contin\u00faen con una conexi\u00f3n en el servidor."}], "lastModified": "2023-11-07T03:07:36.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8267809-FDF5-459D-B34D-8CFF65B03A22", "versionEndIncluding": "1.3.5"}, {"criteria": "cpe:2.3:a:proftpd:proftpd:1.3.6:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47526BA5-3955-43B3-8EA4-5C29DDA3F9C7"}, {"criteria": "cpe:2.3:a:proftpd:proftpd:1.3.6:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FC30FC2-1DEB-4CA7-922C-EA94E895E978"}, {"criteria": "cpe:2.3:a:proftpd:proftpd:1.3.6:beta:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F41C633-216D-4A8C-BAA6-940452751735"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}