[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2015-0223: anonymous access to qpidd cannot be prevented

To: "users@xxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxx>, "dev@xxxxxxxxxxxxxxx" <dev@xxxxxxxxxxxxxxx>, announce@xxxxxxxxxx, "security@xxxxxxxxxx" <security@xxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2015-0223: anonymous access to qpidd cannot be prevented
From: Gordon Sim <gsim@xxxxxxxxxx>
Date: Mon, 26 Jan 2015 09:11:04 +0000

   Apache Software Foundation - Security Advisory

      anonymous access to qpidd cannot be prevented

CVE-2015-0223  CVS: 5.8

Severity: Moderate

Vendor:

The Apache Software Foundation

Versions Affected:

Apache Qpid's qpidd up to and including version 0.30

Description:

An attacker can gain access to qpidd as an anonymous user, even if the
ANONYMOUS mechanism is disallowed.

Solution:

A patch is available (https://issues.apache.org/jira/browse/QPID-6325)
that addresses this vulnerability. The fix will be included in
subsequent releases, but can be applied to 0.30 if desired.

Common Vulnerability Score information:

Authorization can be used to restrict access to broker entities such
as queue and exchanges.

Credit:

This issue was discovered by G. Geshev from MWR Labs

Common Vulnerability Score information:

CVSS Base Score                  5.8
Impact Subscore                  4.9
Exploitability Subscore          8.6
Overall CVSS Score               5.8

Prev by Date: CVE-2015-0224: qpidd can be crashed by unauthenticated user
Next by Date: [SYSS-2014-012] FancyFon FAMOC - Session Fixation
Previous by thread: CVE-2015-0224: qpidd can be crashed by unauthenticated user
Next by thread: [SYSS-2014-012] FancyFon FAMOC - Session Fixation
Index(es):
- Date
- Thread