CVE-2019-12855
Description
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Twisted XMPP implementation fails to verify TLS certificates, allowing man-in-the-middle attacks on encrypted connections.
Vulnerability
The vulnerability exists in the words.protocols.jabber.xmlstream module of Twisted through version 19.2.1. When XMPP connections use TLS, the certificate verification is not performed, meaning the client or server does not validate the identity of the peer. This breaks the security guarantees of TLS, as any certificate (including self-signed or malicious ones) is accepted without validation [1][2].
Exploitation
An attacker with network access to the communication link can perform a machine-in-the-middle (MITM) attack. By intercepting the TLS handshake and presenting a forged certificate, the attacker can establish separate encrypted sessions with both endpoints. No authentication is required beyond network position, and the attack is transparent to the users of the XMPP service [2][3].
Impact
Successful exploitation allows the attacker to read, modify, or inject messages in the XMPP stream. This can lead to disclosure of sensitive information, impersonation, or further compromise of systems relying on XMPP communications [2].
Mitigation
The issue has been fixed in later versions of Twisted. Ubuntu has released security updates (USN-4308-1 and USN-4308-2) addressing this vulnerability for affected releases [2][3]. Users should upgrade to a patched version of Twisted to restore proper TLS certificate verification.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
TwistedPyPI | < 19.7.0rc1 | 19.7.0rc1 |
Affected products
14- Twisted/Twisteddescription
- ghsa-coords13 versionspkg:pypi/twistedpkg:rpm/opensuse/python-Twisted&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/python-Twisted&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/python-Twisted&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Twisted&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/python-Twisted&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/python-Twisted&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/python-Twisted&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Twisted&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Twisted&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Twisted&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Twisted&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Twisted&distro=SUSE%20Package%20Hub%2015
< 19.7.0rc1+ 12 more
- (no CPE)range: < 19.7.0rc1
- (no CPE)range: < 17.9.0-lp151.3.6.1
- (no CPE)range: < 17.9.0-lp151.3.6.1
- (no CPE)range: < 15.2.1-9.8.1
- (no CPE)range: < 15.2.1-9.8.1
- (no CPE)range: < 15.2.1-9.8.1
- (no CPE)range: < 15.2.1-9.8.1
- (no CPE)range: < 15.2.1-9.8.1
- (no CPE)range: < 15.2.1-9.8.1
- (no CPE)range: < 15.2.1-9.8.1
- (no CPE)range: < 15.2.1-9.8.1
- (no CPE)range: < 15.2.1-9.8.1
- (no CPE)range: < 17.9.0-bp150.4.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- lists.opensuse.org/opensuse-security-announce/2019-09/msg00013.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00028.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-65rm-h285-5cc5ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-12855ghsaADVISORY
- usn.ubuntu.com/4308-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4308-2/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2019-129.yamlghsaWEB
- github.com/twisted/twisted/pull/1147ghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLTZDMFBNFSJMBXYJNGJHENJA4H2TSMZghsaWEB
- twistedmatrix.com/trac/ticket/9561ghsax_refsource_MISCWEB
- usn.ubuntu.com/4308-1ghsaWEB
- usn.ubuntu.com/4308-2ghsaWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.