CVE-2012-4446

The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request.

Published: Mar 14, 2013
Updated: May 9, 2024
CVE: CVE-2012-4446
GHSA: GHSA-mrgh-6x42-x6xf
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
apache / qpid	0.14	0.14.x
apache / qpid	0.7	0.7.x
apache / qpid	0.15	0.15.x
apache / qpid	0.10	0.10.x
apache / qpid	0.17	0.17.x
apache / qpid	-	0.20.x
apache / qpid	0.9	0.9.x
apache / qpid	0.13	0.13.x
apache / qpid	0.6	0.6.x
apache / qpid	0.11	0.11.x
apache / qpid	0.12	0.12.x
apache / qpid	0.18	0.18.x
apache / qpid	0.16	0.16.x
apache / qpid	0.19	0.19.x
apache / qpid	0.5	0.5.x
apache / qpid	0.8	0.8.x
org.apache.qpid / qpid-client	-	0.20

http://rhn.redhat.com/errata/RHSA-2013-0561.html
http://rhn.redhat.com/errata/RHSA-2013-0562.html
http://secunia.com/advisories/52516
https://bugzilla.redhat.com/show_bug.cgi?id=851355
https://issues.apache.org/jira/browse/QPID-4631

Vulnerability Database

289,697

CVE-2012-4446