Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.qpid/proton-j@0.14.0

Type maven

Namespace org.apache.qpid

Name proton-j

Version 0.14.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.30.0

Latest_non_vulnerable_version 0.30.0

Affected_by_vulnerabilities

url VCID-9nj7-fupw-vqaw

vulnerability_id VCID-9nj7-fupw-vqaw

summary

Withdrawn Advisory: Improper Certificate Validation in Apache Qpid Proton
## Withdrawn Advisory
This advisory has been withdrawn because the vulnerability only affects the **Qpid Proton C library** and not `org.apache.qpid:proton-j`. This link has been maintained to preserve external references.

## Original Description

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-0223.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-0223.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-0223

reference_id

reference_type

scores

value	0.00399
scoring_system	epss
scoring_elements	0.60719
published_at	2026-04-18T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.6068
published_at	2026-04-09T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.60713
published_at	2026-04-16T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.6067
published_at	2026-04-13T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.60691
published_at	2026-04-12T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.60705
published_at	2026-04-11T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.60541
published_at	2026-04-01T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.60615
published_at	2026-04-02T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.60645
published_at	2026-04-04T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.60616
published_at	2026-04-07T12:55:00Z

value	0.00399
scoring_system	epss
scoring_elements	0.60664
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-0223

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0223
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0223

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

reference_url

https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E

reference_url

https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E

reference_url

https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E

reference_url

https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E

reference_url

https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-0223

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-0223

reference_url

http://www.openwall.com/lists/oss-security/2019/04/23/4

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2019/04/23/4

reference_url

http://www.securityfocus.com/bid/108044

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/108044

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1702439
reference_id	1702439
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1702439

reference_url

https://github.com/advisories/GHSA-5h6x-m52p-23ph

reference_id

GHSA-5h6x-m52p-23ph

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5h6x-m52p-23ph

reference_url	https://access.redhat.com/errata/RHSA-2019:0886
reference_id	RHSA-2019:0886
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:0886

reference_url	https://access.redhat.com/errata/RHSA-2019:1398
reference_id	RHSA-2019:1398
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:1398

reference_url	https://access.redhat.com/errata/RHSA-2019:1399
reference_id	RHSA-2019:1399
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:1399

reference_url	https://access.redhat.com/errata/RHSA-2019:1400
reference_id	RHSA-2019:1400
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:1400

reference_url	https://access.redhat.com/errata/RHSA-2019:2777
reference_id	RHSA-2019:2777
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:2777

reference_url	https://access.redhat.com/errata/RHSA-2019:2778
reference_id	RHSA-2019:2778
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:2778

reference_url	https://access.redhat.com/errata/RHSA-2019:2779
reference_id	RHSA-2019:2779
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:2779

reference_url	https://access.redhat.com/errata/RHSA-2019:2780
reference_id	RHSA-2019:2780
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:2780

reference_url	https://access.redhat.com/errata/RHSA-2019:2781
reference_id	RHSA-2019:2781
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:2781

reference_url	https://access.redhat.com/errata/RHSA-2019:2782
reference_id	RHSA-2019:2782
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:2782

fixed_packages

url pkg:maven/org.apache.qpid/proton-j@0.27.1

purl pkg:maven/org.apache.qpid/proton-j@0.27.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-sbrt-43uu-6qgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.qpid/proton-j@0.27.1

aliases CVE-2019-0223, GHSA-5h6x-m52p-23ph

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9nj7-fupw-vqaw

url VCID-sbrt-43uu-6qgt

vulnerability_id VCID-sbrt-43uu-6qgt

summary The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-17187.json

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-17187.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-17187

reference_id

reference_type

scores

value	0.00259
scoring_system	epss
scoring_elements	0.49287
published_at	2026-04-18T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49252
published_at	2026-04-08T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49291
published_at	2026-04-16T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49244
published_at	2026-04-13T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49239
published_at	2026-04-12T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49266
published_at	2026-04-11T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49186
published_at	2026-04-01T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49217
published_at	2026-04-02T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49245
published_at	2026-04-04T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49197
published_at	2026-04-07T12:55:00Z

value	0.00259
scoring_system	epss
scoring_elements	0.49248
published_at	2026-04-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-17187

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17187
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17187

reference_url

https://github.com/advisories/GHSA-xvch-r4wf-h8w9

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-xvch-r4wf-h8w9

reference_url

https://github.com/apache/qpid-proton-j/commit/0cb8ca03cec42120dcfc434561592d89a89a805e

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/qpid-proton-j/commit/0cb8ca03cec42120dcfc434561592d89a89a805e

reference_url

https://issues.apache.org/jira/browse/PROTON-1962

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://issues.apache.org/jira/browse/PROTON-1962

reference_url

https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E

reference_url

http://www.securityfocus.com/bid/105935

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/105935

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1651837
reference_id	1651837
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1651837

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-17187

reference_id

CVE-2018-17187

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-17187

reference_url

https://qpid.apache.org/cves/CVE-2018-17187.html

reference_id

CVE-2018-17187.HTML

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://qpid.apache.org/cves/CVE-2018-17187.html

fixed_packages

url	pkg:maven/org.apache.qpid/proton-j@0.30.0
purl	pkg:maven/org.apache.qpid/proton-j@0.30.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.qpid/proton-j@0.30.0

aliases CVE-2018-17187, GHSA-xvch-r4wf-h8w9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sbrt-43uu-6qgt

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.qpid/proton-j@0.14.0

Package Instance