org.springframework.amqp:spring-rabbit 4.0.2

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.amqp:spring-rabbit package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Certificate Validation Affected versions of this package are vulnerable to Improper Certificate Validation in the `RabbitConnectionFactoryBean.setUri` function when configuring a broker connection with an `amqps://` URI without also invoking `setUseSSL(true)`. An attacker can intercept or manipulate encrypted traffic by exploiting the lack of certificate validation and hostname verification. How to fix Improper Certificate Validation? Upgrade `org.springframework.amqp:spring-rabbit` to version 3.2.11, 4.0.4 or higher.	[,3.2.11)[4.0.0-M1,4.0.4)
L Insecure Randomness Affected versions of this package are vulnerable to Insecure Randomness via the `sendAndReceive` function when using a fixed reply queue, due to correlation IDs being generated sequentially by an internal counter. An attacker can intercept or inject unauthorized replies by predicting correlation IDs. Note: This is only exploitable if the target is configured with a fixed reply queue (`sendAndReceive()` with that setup), and the attacker wins a timing race to land the poisoned reply before the legitimate one with a matching tag. How to fix Insecure Randomness? Upgrade `org.springframework.amqp:spring-rabbit` to version 3.2.11, 4.0.4 or higher.	[,3.2.11)[4.0.0-M1,4.0.4)

Vulnerability

Vulnerable Version

Improper Certificate Validation

Affected versions of this package are vulnerable to Improper Certificate Validation in the RabbitConnectionFactoryBean.setUri function when configuring a broker connection with an amqps:// URI without also invoking setUseSSL(true). An attacker can intercept or manipulate encrypted traffic by exploiting the lack of certificate validation and hostname verification.

How to fix Improper Certificate Validation?

Upgrade org.springframework.amqp:spring-rabbit to version 3.2.11, 4.0.4 or higher.

[,3.2.11)[4.0.0-M1,4.0.4)

Insecure Randomness

Affected versions of this package are vulnerable to Insecure Randomness via the sendAndReceive function when using a fixed reply queue, due to correlation IDs being generated sequentially by an internal counter. An attacker can intercept or inject unauthorized replies by predicting correlation IDs.

Note:

This is only exploitable if the target is configured with a fixed reply queue (sendAndReceive() with that setup), and the attacker wins a timing race to land the poisoned reply before the legitimate one with a matching tag.

How to fix Insecure Randomness?

Upgrade org.springframework.amqp:spring-rabbit to version 3.2.11, 4.0.4 or higher.

[,3.2.11)[4.0.0-M1,4.0.4)

org.springframework.amqp:spring-rabbit@4.0.2

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically