Vulnerability Details CVE-2016-2166
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 50.4%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 5.8
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html
- http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html
- http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html
- http://www.securityfocus.com/archive/1/537864/100/0/threaded
- https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
- https://issues.apache.org/jira/browse/PROTON-1157
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html
- http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html
- http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html
- http://www.securityfocus.com/archive/1/537864/100/0/threaded
- https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
- https://issues.apache.org/jira/browse/PROTON-1157
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E
Products affected by CVE-2016-2166
-
cpe:2.3:a:apache:qpid_proton:0.10.0
-
cpe:2.3:a:apache:qpid_proton:0.11.0
-
cpe:2.3:a:apache:qpid_proton:0.11.1
-
cpe:2.3:a:apache:qpid_proton:0.12.0
-
cpe:2.3:a:apache:qpid_proton:0.8.0
-
cpe:2.3:a:apache:qpid_proton:0.9.0
-
cpe:2.3:a:apache:qpid_proton:0.9.1
-
cpe:2.3:o:fedoraproject:fedora:23