CVE-2019-14887
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/03/2020
Last modified:
02/11/2021
Description
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
Impact
Base Score 3.x
9.10
Severity 3.x
CRITICAL
Base Score 2.0
6.40
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:wildfly:7.2.0:general_availability:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:wildfly:7.2.3:general_availability:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:wildfly:7.2.5:cr2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page