GHSA-pq4w-qm9g-qx68
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pq4w-qm9g-qx68
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-pq4w-qm9g-qx68/GHSA-pq4w-qm9g-qx68.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-pq4w-qm9g-qx68
- Aliases
- Published
- 2020-03-16T22:46:50Z
- Modified
- 2024-02-16T05:40:39.091352Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Insufficient Nonce Validation in Eclipse Milo Client
- Details
-
Impact
Credential replay affecting those connected to a server when all 3 of the following conditions are met: -
SecurityPolicyisNone- using username/password or X509-based authentication - the server has a defect causing it to send null/empty or zeroed noncesPatches
The problem has been patched in version
0.3.6. A more relaxed treatment of validation as agreed upon by the OPC UA Security Working Group is implemented in version0.3.7.Workarounds
Do not use username/password or X509-based authentication with
SecurityPolicyofNone.References
https://opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2019-19135.pdf
For more information
If you have any questions or comments about this advisory: * Open an issue at https://github.com/eclipse/milo/issues * Email the mailing list
- Database specific
{ "nvd_published_at": "2020-03-16T16:15:00Z", "cwe_ids": [ "CWE-330", "CWE-522" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-03-16T20:59:53Z" }- References
-
- https://github.com/eclipse/milo/security/advisories/GHSA-pq4w-qm9g-qx68
- https://nvd.nist.gov/vuln/detail/CVE-2019-19135
- https://github.com/eclipse/milo/commit/cac0e710bf2b8bed9c602fc597e9de1d8903abed
- https://opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2019-19135.pdf
- https://opcfoundation.org/security-bulletins
Affected packages
Maven / org.eclipse.milo:sdk-client
Package
- Name
- org.eclipse.milo:sdk-client
- View open source insights on deps.dev
- Purl
- pkg:maven/org.eclipse.milo/sdk-client
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.3.6