CVE Vulnerabilities

CVE-2011-3620

Improper Authentication

Published: May 03, 2012 | Modified: Aug 14, 2012
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
5.8 MODERATE
AV:A/AC:L/Au:N/C:P/I:P/A:P
RedHat/V3
Ubuntu
MEDIUM

Apache Qpid 0.12 does not properly verify credentials during the joining of a cluster, which allows remote attackers to obtain access to the messaging functionality and job functionality of a cluster by leveraging knowledge of a cluster-username.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Qpid Apache 0.12 (including) 0.12 (including)
MRG for RHEL-5 v. 2 RedHat condor-0:7.6.5-0.14.el5 *
MRG for RHEL-5 v. 2 RedHat python-qpid-0:0.14-6.el5 *
MRG for RHEL-5 v. 2 RedHat qpid-cpp-mrg-0:0.14-14.el5 *
MRG for RHEL-5 v. 2 RedHat qpid-java-0:0.14-3.el5 *
MRG for RHEL-5 v. 2 RedHat qpid-jca-0:0.14-9.el5 *
MRG for RHEL-5 v. 2 RedHat qpid-qmf-0:0.14-9.el5 *
MRG for RHEL-5 v. 2 RedHat qpid-tests-0:0.14-1.el5 *
MRG for RHEL-5 v. 2 RedHat qpid-tools-0:0.14-2.el5 *
MRG for RHEL-5 v. 2 RedHat sesame-0:1.0-3.el5 *
Red Hat Enterprise MRG 2 RedHat condor-0:7.6.5-0.14.el6 *
Red Hat Enterprise MRG 2 RedHat qpid-cpp-0:0.14-14.el6_2 *
Red Hat Enterprise MRG 2 RedHat qpid-java-0:0.14-3.el6 *
Red Hat Enterprise MRG 2 RedHat qpid-jca-0:0.14-9.el6 *
Red Hat Enterprise MRG 2 RedHat qpid-qmf-0:0.14-7.el6_2 *
Red Hat Enterprise MRG 2 RedHat sesame-0:1.0-5.el6 *
Qpid-cpp Ubuntu artful *
Qpid-cpp Ubuntu precise *
Qpid-cpp Ubuntu quantal *
Qpid-cpp Ubuntu raring *
Qpid-cpp Ubuntu saucy *
Qpid-cpp Ubuntu trusty *
Qpid-cpp Ubuntu utopic *
Qpid-cpp Ubuntu vivid *
Qpid-cpp Ubuntu wily *
Qpid-cpp Ubuntu xenial *
Qpid-cpp Ubuntu yakkety *
Qpid-cpp Ubuntu zesty *

Potential Mitigations

References