Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8039

[CVE-2017-15702] [Broker-J] HTTP Ports may be tricked into using the wrong authentication provider

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 0.18, 0.32
    • Fix Version/s: qpid-java-6.0
    • Component/s: Broker-J
    • Labels:
      None

      Description

      In Qpid Broker-J 0.18..0.32 the when connecting to the HTTP port, it is possible to trick the port into using an authentication provider other than the one configured on the port. This becomes an issue if many authentication providers are configured and one offers less trust than another.

      This was resolved in Qpid Broker-J v6.0.0 and above.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lorenz.quack Lorenz Quack
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: