Man-in-the-Middle (MitM) Affecting org.apache.qpid:proton-j Open this link in a new tab package, versions [,0.12.1)
Attack Complexity
High
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-ORGAPACHEQPID-466325
-
published
9 Mar 2016
-
disclosed
9 Mar 2016
-
credit
Matthew Farrellee
Introduced: 9 Mar 2016
CVE-2016-2166 Open this link in a new tabHow to fix?
Upgrade org.apache.qpid:proton-j
to version 0.12.1 or higher.
Overview
org.apache.qpid:proton-j is a lightweight messaging library.
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The proton.reactor.Connector
, proton.reactor.Container
, and proton.utils.BlockingConnection
classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps
URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.