CVE-2016-2166 – org.apache.qpid:proton-j

Package

Manager: maven
Name: org.apache.qpid:proton-j
Vulnerable Version: >=0 <0.12.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00271 pctl0.50306

Details

Moderate severity vulnerability that affects org.apache.qpid:proton-j The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

Metadata

Created: 2018-10-16T19:50:27Z
Modified: 2021-09-09T21:40:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-f5cf-f7px-xpmh/GHSA-f5cf-f7px-xpmh.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-f5cf-f7px-xpmh
Finding: F017
Auto approve: 1