CVE-2016-2166

6.5MEDIUM

Key Information:

Vendor
Apache
Status
Qpid Proton
Vendor
CVE Published:
12 April 2016

Summary

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

References

https://issues.apache.org/jira/browse/PROTON-1157
x_refsource_CONFIRM
http://packetstormsecurity.com/files/136403/Apache-Qpid-P...
x_refsource_MISC
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.