Description

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html

http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html

http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html

http://www.securityfocus.com/archive/1/537864/100/0/threaded

https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585

https://issues.apache.org/jira/browse/PROTON-1157

https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Related Vulnerabilities

CVE-2022-0508 Vulnerability in npm package @peertube/embed-api

CVE-2015-8851 Vulnerability in maven package org.webjars:node-uuid

CVE-2019-18394 Vulnerability in maven package org.igniterealtime.openfire:xmppserver

CVE-2018-20676 Vulnerability in maven package org.webjars:bootstrap

CVE-2017-18869 Vulnerability in maven package org.webjars.npm:chownr

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Tags

Third Party Advisory Patch Vendor Advisory Issue Tracking