CVE-2016-2166

MEDIUM

Apache Qpid Proton < 0.12.0 - Information Disclosure

Title source: rule

Description

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

References (7)

[Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html

[Third Party Advisory] http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html

[Patch, Vendor Advisory] http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html

[Various Sources] https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585

[Issue Tracking] https://issues.apache.org/jira/browse/PROTON-1157

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/537864/100/0/threaded

[Mailing List] https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Scores

CVSS v3 6.5

EPSS 0.0027

EPSS Percentile 50.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (3)

apache/qpid_proton < 0.12.0

fedoraproject/fedora

org.apache.qpid/proton-j < 0.12.1Maven

Timeline

Published Apr 12, 2016

Tracked Since Feb 18, 2026