Skip to main content

Qpid CVE-2012-4446

MEDIUM
Improper Authentication (CWE-287)
2013-03-14 secalert@redhat.com
6.8
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:P/I:P/A:P
Attack Vector
Network
Attack Complexity
M
Confidentiality
P
Integrity
P
Availability
P

Lifecycle Timeline

1
CVE Published
Mar 14, 2013 - 03:10 cve.org
MEDIUM 6.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 13 maven packages depend on org.apache.qpid:qpid-client (5 direct, 8 indirect)

Ecosystem-wide dependent count for version 0.20.

DescriptionCVE.org

The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request.

AnalysisAI

The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Technical ContextAI

This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request. Affected products include: Apache Qpid.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.

More in Qpid

View all
CVE-2015-0224 HIGH
7.5 Oct 30

qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted

CVE-2015-5164 HIGH
7.2 Oct 18

The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users

CVE-2019-0223 HIGH
7.4 Apr 23

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27

CVE-2012-2145 MEDIUM
5.0 Sep 28

Apache Qpid 0.17 and earlier does not properly restrict incoming client connections, which allows remote attackers to ca

CVE-2013-1909 MEDIUM
5.8 Aug 23

The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subjec

CVE-2012-4460 MEDIUM
5.0 Mar 14

The serializing/deserializing functions in the qpid::framing::Buffer class in Apache Qpid 0.20 and earlier allow remote

CVE-2012-4458 MEDIUM
5.0 Mar 14

The AMQP type decoder in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (memory consu

CVE-2015-0223 MEDIUM
5.0 Feb 02

Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd

CVE-2012-4459 MEDIUM
5.0 Mar 14

Integer overflow in the qpid::framing::Buffer::checkAvailable function in Apache Qpid 0.20 and earlier allows remote att

CVE-2012-3467 MEDIUM
5.0 Aug 27

Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AM

CVE-2014-3629 MEDIUM
4.3 Nov 17

XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause

Share

CVE-2012-4446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy