Charles E. Rolke

**Name of the Vulnerable Software and Affected Versions** Apache Qpid versions 0.20 and earlier **Description** The issue concerns the default configuration of Apache Qpid when the federation tag attribute is enabled. In this setup, the software accepts AMQP connections without verifying the source user ID. This allows remote attackers to bypass authentication, potentially leading to unauthorized access. **Recommendations** For Apache Qpid versions 0.20 and earlier, consider disabling the federation tag attribute until a proper fix is applied to prevent unauthorized access. Additionally, restrict access to AMQP connections to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.