CVE-2016-4432

CWE-287 — Improper Authentication7 documents6 sources

Severity

9.1CRITICAL

EPSS

0.4%

top 39.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Qpid Broker-j

Timeline

PublishedJun 1

Latest updateOct 16

Description

The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.apache.qpid:qpid-broker-plugins-amqp-0-8-protocol< 6.0.3

▶Mavenorg.apache.qpid:qpid-broker-plugins-amqp-1-0-protocol< 6.0.3

▶NVDapache/qpid_broker-j< 6.0.3

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

OSV

AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication↗2018-10-16

▶

GHSA

AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication↗2018-10-16

▶

CVEList

CVE-2016-4432: The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6↗2016-06-01

▶

OSV

CVE-2016-4432: The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6↗2016-06-01

▶

📋Vendor Advisories

Red Hat

qpid-java: Authentication bypass↗2016-05-27

▶

💬Community

Bugzilla

CVE-2016-4432 qpid-java: Authentication bypass↗2016-05-30

▶