Description

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html

http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html

http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html

http://www.securityfocus.com/archive/1/537864/100/0/threaded

https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585

https://issues.apache.org/jira/browse/PROTON-1157

https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Related Vulnerabilities

CVE-2020-28270 Vulnerability in npm package object-hierarchy-access

CVE-2020-8176 Vulnerability in npm package koa-shopify-auth

CVE-2022-21721 Vulnerability in npm package next

CVE-2018-5158 Vulnerability in npm package pdfjs-dist

CVE-2021-30246 Vulnerability in npm package jsrsasign

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Tags

Third Party Advisory Patch Vendor Advisory Issue Tracking