PT-2017-14151 · Apache · Apache Qpid Broker-J
Published
2017-12-01
·
Updated
2023-05-22
·
CVE-2017-15702
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Qpid Broker-J versions 0.18 through 0.32
Description
The issue allows a remote unauthenticated attacker to trick the broker into using an authentication provider configured on a different port when connecting to an HTTP port. This becomes a problem when the spoofed port has weaker authentication protection, such as anonymous access or default accounts, which can be circumvented by this issue. The attacker still needs valid credentials with the authentication provider on the spoofed port. AMQP ports are not affected.
Recommendations
For Apache Qpid Broker-J versions 0.18 through 0.32, update to version 6.0.0 or newer to resolve the issue.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Qpid Broker-J