CVE-2016-2166

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

Published: Apr 12, 2016
Updated: Nov 8, 2023
CVE: CVE-2016-2166
GHSA: GHSA-f5cf-f7px-xpmh
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
apache / qpid_proton	-	0.12.0.x
fedoraproject / fedora	23	23.x
org.apache.qpid / proton-j	-	0.12.1

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html
http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html
http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html
http://www.securityfocus.com/archive/1/537864/100/0/threaded
https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=a058585
https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
https://issues.apache.org/jira/browse/PROTON-1157
https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E
https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Vulnerability Database

289,697

CVE-2016-2166