Miggo Logo
Miggo Vulnerability Database
CVE-2016-2166

CVE-2016-2166: Moderate severity vulnerability that affects org.apache.qpid:proton-j

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-2166
GHSA ID
GHSA-f5cf-f7px-xpmh
EPSS Score
0.45522%
CWE
CWE-200
Published
10/16/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.qpid:proton-jmaven< 0.12.10.12.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in connection establishment paths handling AMQPS schemes. The patch adds explicit SSL availability checks in both client connection (_connect) and server listener (listen) paths. The original code in these functions proceeded with unencrypted connections when SSL was requested via AMQPS but unavailable, which would appear in profilers as these functions handling sensitive data without encryption. The third vulnerable class (BlockingConnection) mentioned in CVE description likely shares these underlying code paths but isn't directly visible in the provided patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** (*) proton.r***tor.*onn**tor, (*) proton.r***tor.*ont*in*r, *n* (*) proton.utils.*lo*kin**onn**tion *l*ss*s in *p**** Qpi* Proton ***or* *.**.* improp*rly us* *n un*n*rypt** *onn**tion *or *n *mqps URI s***m* w**n SSL support is un*v*il**l*, w*i*

Reasoning

T** vuln*r**ility m*ni**sts in *onn**tion *st**lis*m*nt p*t*s **n*lin* *MQPS s***m*s. T** p*t** ***s *xpli*it SSL *v*il**ility ****ks in *ot* *li*nt *onn**tion (`_*onn**t`) *n* s*rv*r list*n*r (`list*n`) p*t*s. T** ori*in*l *o** in t**s* *un*tions pr