Miggo Logo

CVE-2019-0231: Cleartext Transmission of Sensitive Information in Apache MINA

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.71243%
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.mina:mina-coremaven<= 2.0.202.0.21
org.apache.mina:mina-coremaven= 2.1.02.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of SSL/TLS close_notify messages. The SslHandler.checkStatus() method was missing CLOSED state handling, leaving sessions open. The SslFilter.messageSent() method lacked proper request wrapping to track encryption state. Both functions directly process security-critical TLS message handling and session state management. The patches explicitly modify these functions to add session closure and request wrapping logic, confirming their involvement in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**n*lin* o* t** *los*_noti*y SSL/TLS m*ss*** *o*s not l*** to * *onn**tion *losur*, l***in* t** s*rv*r to r*t*in t** so*k*t op*n** *n* to **v* t** *li*nt pot*nti*lly r***iv* *l**r t*xt m*ss***s **t*rw*r*. Miti**tion: *.*.** us*rs s*oul* mi*r*t* to *.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* SSL/TLS *los*_noti*y m*ss***s. T** `Ssl**n*l*r.****kSt*tus()` m*t*o* w*s missin* *LOS** st*t* **n*lin*, l**vin* s*ssions op*n. T** `Ssl*ilt*r.m*ss***S*nt()` m*t*o* l**k** prop*r r*qu*st wr*ppin* to tr