Apache Software Foundation - Security Advisory
anonymous access to qpidd cannot be prevented
CVE-2015-0223 CVS: 5.8
Severity: Moderate
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Qpid's qpidd up to and including version 0.30
Description:
An attacker can gain access to qpidd as an anonymous user, even if the
ANONYMOUS mechanism is disallowed.
Solution:
A patch is available (https://issues.apache.org/jira/browse/QPID-6325)
that addresses this vulnerability. The fix will be included in
subsequent releases, but can be applied to 0.30 if desired.
Common Vulnerability Score information:
Authorization can be used to restrict access to broker entities such
as queue and exchanges.
Credit:
This issue was discovered by G. Geshev from MWR Labs
Common Vulnerability Score information:
CVSS Base Score 5.8
Impact Subscore 4.9
Exploitability Subscore 8.6
Overall CVSS Score 5.8
