Description

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html

http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html

http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html

http://www.securityfocus.com/archive/1/537864/100/0/threaded

https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585

https://issues.apache.org/jira/browse/PROTON-1157

https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Related Vulnerabilities

CVE-2020-8203 Vulnerability in maven package org.fujion.webjars:lodash

CVE-2016-10543 Vulnerability in npm package call

CVE-2017-7957 Vulnerability in maven package xstream:xstream

CVE-2020-35202 Vulnerability in maven package org.igniterealtime.openfire.plugins:dbaccess

CVE-2018-19048 Vulnerability in maven package org.webjars:simditor

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Tags

Third Party Advisory Patch Vendor Advisory Issue Tracking