CVE-2012-4446

CWE-287 — Improper Authentication8 documents6 sources

Severity

6.8MEDIUM

EPSS

0.4%

top 36.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Qpid

Timeline

PublishedMar 14

Latest updateMay 17

Description

The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶Mavenorg.apache.qpid:qpid-client< 0.20

▶NVDapache/qpid0.20+15

🔴Vulnerability Details

OSV

Improper Authentication in Apache Qpid↗2022-05-17

▶

GHSA

Improper Authentication in Apache Qpid↗2022-05-17

▶

OSV

CVE-2012-4446: The default configuration for Apache Qpid 0↗2013-03-14

▶

CVEList

CVE-2012-4446: The default configuration for Apache Qpid 0↗2013-03-12

▶

📋Vendor Advisories

Red Hat

qpid-cpp: qpid authentication bypass↗2013-03-06

▶

💬Community

Bugzilla

CVE-2012-4446 CVE-2012-4458 CVE-2012-4459 qpid-cpp various flaws [fedora-all]↗2013-03-06

▶

Bugzilla

CVE-2012-4446 qpid-cpp: qpid authentication bypass↗2012-08-23

▶