CVE-2012-3467

CWE-287 — Improper Authentication6 documents6 sources

Severity

5.0MEDIUM

EPSS

1.1%

top 21.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Qpid

Timeline

PublishedAug 27

Latest updateMay 17

Description

Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶Mavenorg.apache.qpid:qpid-parent< 0.17

▶NVDapache/qpid0.16+3

🔴Vulnerability Details

GHSA

Apache QPID Allows Remote Authentication Bypass↗2022-05-17

▶

OSV

Apache QPID Allows Remote Authentication Bypass↗2022-05-17

▶

CVEList

CVE-2012-3467: Apache QPID 0↗2012-08-27

▶

📋Vendor Advisories

Red Hat

qpid-cpp-server-cluster: unauthorized broker access caused by the use of NullAuthenticator catch-up shadow connections↗2012-06-22

▶

💬Community

Bugzilla

CVE-2012-3467 qpid-cpp-server-cluster: unauthorized broker access caused by the use of NullAuthenticator catch-up shadow connections↗2012-06-28

▶