GHSA-w4g2-9hj6-5472

Suggest an improvement
Source
https://github.com/advisories/GHSA-w4g2-9hj6-5472
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-w4g2-9hj6-5472/GHSA-w4g2-9hj6-5472.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-w4g2-9hj6-5472
Aliases
Published
2018-10-18T18:06:08Z
Modified
2023-11-01T04:48:46.947927Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Moderate severity vulnerability that affects com.rabbitmq:amqp-client and org.springframework.amqp:spring-amqp
Details

Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:59:27Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ]
}
References

Affected packages

Maven / org.springframework.amqp:spring-amqp

Package

Name
org.springframework.amqp:spring-amqp
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.amqp/spring-amqp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.6

Affected versions

2.*

2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.4.RELEASE
2.0.5.RELEASE

Maven / org.springframework.amqp:spring-amqp

Package

Name
org.springframework.amqp:spring-amqp
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.amqp/spring-amqp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.10

Affected versions

1.*

1.0.0.RELEASE
1.1.0.RELEASE
1.1.1.RELEASE
1.1.2.RELEASE
1.1.3.RELEASE
1.1.4.RELEASE
1.2.0.RELEASE
1.2.1.RELEASE
1.2.2.RELEASE
1.3.0.RELEASE
1.3.1.RELEASE
1.3.2.RELEASE
1.3.3.RELEASE
1.3.4.RELEASE
1.3.5.RELEASE
1.3.6.RELEASE
1.3.7.RELEASE
1.3.8.RELEASE
1.3.9.RELEASE
1.4.0.RELEASE
1.4.1.RELEASE
1.4.2.RELEASE
1.4.3.RELEASE
1.4.4.RELEASE
1.4.5.RELEASE
1.4.6.RELEASE
1.5.0.RELEASE
1.5.1.RELEASE
1.5.2.RELEASE
1.5.3.RELEASE
1.5.4.RELEASE
1.5.5.RELEASE
1.5.6.RELEASE
1.5.7.RELEASE
1.6.0.RELEASE
1.6.1.RELEASE
1.6.2.RELEASE
1.6.3.RELEASE
1.6.4.RELEASE
1.6.5.RELEASE
1.6.6.RELEASE
1.6.7.RELEASE
1.6.8.RELEASE
1.6.9.RELEASE
1.6.10.RELEASE
1.6.11.RELEASE
1.7.0.RELEASE
1.7.1.RELEASE
1.7.2.RELEASE
1.7.3.RELEASE
1.7.4.RELEASE
1.7.5.RELEASE
1.7.6.RELEASE
1.7.7.RELEASE
1.7.8.RELEASE
1.7.9.RELEASE

Maven / com.rabbitmq:amqp-client

Package

Name
com.rabbitmq:amqp-client
View open source insights on deps.dev
Purl
pkg:maven/com.rabbitmq/amqp-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.8.0

Affected versions

1.*

1.3.0
1.5.4
1.5.5
1.6.0
1.7.2
1.8.0
1.8.1

2.*

2.0.0
2.1.0
2.1.1
2.2.0
2.3.0
2.3.1
2.4.1
2.5.0
2.5.1
2.6.0
2.6.1
2.7.0
2.7.1
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.1.1
4.2.0
4.2.1
4.2.2
4.3.0
4.4.0
4.4.1
4.4.2
4.5.0
4.6.0
4.7.0

Maven / com.rabbitmq:amqp-client

Package

Name
com.rabbitmq:amqp-client
View open source insights on deps.dev
Purl
pkg:maven/com.rabbitmq/amqp-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.4.0

Affected versions

5.*

5.0.0
5.1.0
5.1.1
5.1.2
5.2.0
5.3.0