Auth bypass in Apache Qpid

CVE-2012-4446

The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other u…

Vulnerability class: Broken Authentication

EPSS: 0.004 (63.5th percentile) — read the EPSS interpretation.

Affected products

Apache Qpid — versions 0.5, 0.6, 0.7
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

secalert@redhat.com (x_refsource_CONFIRM)
RHSA-2013:0561 (x_refsource_REDHAT, vendor-advisory)
RHSA-2013:0562 (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_MISC)
52516 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)