Description
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
Remediation
References
http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html
https://issues.apache.org/jira/browse/PROTON-1157
http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html
http://www.securityfocus.com/archive/1/537864/100/0/threaded
https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E
Related Vulnerabilities
CVE-2022-41937 Vulnerability in maven package org.xwiki.platform:xwiki-platform-filter-ui
CVE-2023-50775 Vulnerability in maven package org.jenkins-ci.plugins:ec2-deployment-dashboard
CVE-2023-36665 Vulnerability in maven package org.webjars.npm:github-com-protobufjs-protobuf-js
CVE-2022-4244 Vulnerability in maven package org.codehaus.plexus:plexus-utils
CVE-2023-37954 Vulnerability in maven package com.sonyericsson.hudson.plugins.rebuild:rebuild