CVE-2019-0231

Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.

Published: Oct 1, 2019
Updated: May 9, 2024
CVE: CVE-2019-0231
GHSA: GHSA-5h29-qq92-wj7f
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-319

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
apache / mina	2.1.1	2.1.1.x
apache / mina	2.0.20	2.0.20.x
org.apache.mina / mina-core	-	2.0.21
org.apache.mina / mina-core	2.1.0	2.1.0.x
org.apache.mina / mina-core	2.1.0	2.1.1

http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019

Vulnerability Database

CVE-2019-0231

Deep Security Visibility Without the Complexity