Description

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html

http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html

http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html

http://www.securityfocus.com/archive/1/537864/100/0/threaded

https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585

https://issues.apache.org/jira/browse/PROTON-1157

https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Related Vulnerabilities

CVE-2016-10563 Vulnerability in npm package go-ipfs-dep

CVE-2020-5529 Vulnerability in maven package net.sourceforge.htmlunit:htmlunit

CVE-2019-19771 Vulnerability in npm package conistring

CVE-2020-6451 Vulnerability in maven package org.webjars.npm:electron

CVE-2019-13127 Vulnerability in maven package org.webjars.npm:mxgraph

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Tags

Third Party Advisory Patch Vendor Advisory Issue Tracking