Description

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

Remediation

References

http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html

https://issues.apache.org/jira/browse/PROTON-1157

http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html

http://www.securityfocus.com/archive/1/537864/100/0/threaded

https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585

https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Related Vulnerabilities

CVE-2021-43849 Vulnerability in npm package cordova-plugin-fingerprint-aio

CVE-2022-25205 Vulnerability in maven package org.jenkins-ci.plugins:dbcharts

CVE-2023-27564 Vulnerability in npm package n8n

CVE-2022-0512 Vulnerability in npm package url-parse

CVE-2023-26472 Vulnerability in maven package org.xwiki.platform:xwiki-platform-icon-ui

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Tags

Patch Vendor Advisory Issue Tracking Third Party Advisory