Improper SSL Connection Handling in Apache Qpid Proton
CVE-2016-2166

6.5MEDIUM

Key Information:

Vendor

Apache
Status
Qpid Proton
Vendor
CVE Published:
12 April 2016

What is CVE-2016-2166?

Apache Qpid Proton prior to version 0.12.1 contains a vulnerability where certain classes improperly handle SSL connections for 'amqps' URIs when SSL support is not enabled. This flaw may expose sensitive data to man-in-the-middle attackers, allowing them to intercept or alter information transmitted over the connection. Users should update to version 0.12.1 or later to mitigate the risk associated with this vulnerability.

References

https://issues.apache.org/jira/browse/PROTON-1157
x_refsource_CONFIRM
http://packetstormsecurity.com/files/136403/Apache-Qpid-P...
x_refsource_MISC
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.