CVE-2016-2166
MEDIUMApache Qpid Proton < 0.12.1 - Unencrypted Connection for AMQPS URI Scheme
Title source: llmDescription
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
References (7)
Core 7
Core References
Issue Tracking x_refsource_confirm
https://issues.apache.org/jira/browse/PROTON-1157
Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html
Various Sources x_refsource_confirm
https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
Patch, Vendor Advisory x_refsource_confirm
http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537864/100/0/threaded
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E
Scores
CVSS v3
6.5
EPSS
0.0027
EPSS Percentile
50.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-200
Status
published
Products (3)
apache/qpid_proton
< 0.12.0
fedoraproject/fedora
23
org.apache.qpid/proton-j
0 - 0.12.1Maven
Published
Apr 12, 2016
Tracked Since
Feb 18, 2026