CVE-2012-4446
First published: Thu Aug 23 2012(Updated: )
The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Qpid | <=0.20 | |
| Apache Qpid | =0.5 | |
| Apache Qpid | =0.6 | |
| Apache Qpid | =0.7 | |
| Apache Qpid | =0.8 | |
| Apache Qpid | =0.9 | |
| Apache Qpid | =0.10 | |
| Apache Qpid | =0.11 | |
| Apache Qpid | =0.12 | |
| Apache Qpid | =0.13 | |
| Apache Qpid | =0.14 | |
| Apache Qpid | =0.15 | |
| Apache Qpid | =0.16 | |
| Apache Qpid | =0.17 | |
| Apache Qpid | =0.18 | |
| Apache Qpid | =0.19 | |
| redhat/qpid-cpp | <0.23 | 0.23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2013-0561.html
- http://rhn.redhat.com/errata/RHSA-2013-0562.html
- http://secunia.com/advisories/52516
- https://bugzilla.redhat.com/show_bug.cgi?id=851355
- https://issues.apache.org/jira/browse/QPID-4631
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=851355#c4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=851355#c3
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=607797&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=607797&action=edit
- http://qpid.apache.org/books/trunk/AMQP-Messaging-Broker-CPP-Book/html/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Permissions
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=851355#c8
- https://access.redhat.com/security/cve/CVE-2012-4446
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=851355#c9
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=851355#c10
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=851355#c11
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=851355#c12
- https://rhn.redhat.com/errata/RHSA-2013-0562.html
- https://rhn.redhat.com/errata/RHSA-2013-0561.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=918804
Frequently Asked Questions
What is the severity of CVE-2012-4446?
CVE-2012-4446 is considered to be of medium severity due to the potential for remote attackers to bypass authentication.
How do I fix CVE-2012-4446?
To fix CVE-2012-4446, upgrade Apache Qpid to version 0.23 or later.
What versions of Apache Qpid are affected by CVE-2012-4446?
CVE-2012-4446 affects Apache Qpid versions 0.20 and earlier, as well as specific versions 0.5 through 0.19.
What impact does CVE-2012-4446 have on applications?
CVE-2012-4446 allows remote attackers to bypass authentication, potentially leading to unauthorized access to the application.
Is CVE-2012-4446 associated with a specific configuration option?
Yes, CVE-2012-4446 is related to the default configuration of Apache Qpid when the federation_tag attribute is enabled.
- collector/nvd-index
- collector/redhat-bugzilla
- alias/CVE-2012-4446
- vendor/apache
- product/qpid
- canonical/apache qpid
- package-manager/redhat