Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8039

[CVE-2017-15702] [Broker-J] HTTP Ports may be tricked into using the wrong authentication provider

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 0.18, 0.32
    • Fix Version/s: qpid-java-6.0
    • Component/s: Broker-J
    • Labels:
      None

      Description

      In Qpid Broker-J 0.18..0.32 the when connecting to the HTTP port, it is possible to trick the port into using an authentication provider other than the one configured on the port. This becomes an issue if many authentication providers are configured and one offers less trust than another.

      This was resolved in Qpid Broker-J v6.0.0 and above.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lorenz.quack Lorenz Quack

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment