CVE-2012-4446 – org.apache.qpid:qpid-client

Package

Manager: maven
Name: org.apache.qpid:qpid-client
Vulnerable Version: >=0 <0.20

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00233 pctl0.45995

Details

Improper Authentication in Apache Qpid The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request.

Metadata

Created: 2022-05-17T05:13:24Z
Modified: 2022-07-13T15:56:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mrgh-6x42-x6xf/GHSA-mrgh-6x42-x6xf.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-mrgh-6x42-x6xf
Finding: F039
Auto approve: 1