CVE-2016-2173
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
Improper Input Validation in Spring AMQP
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://bugzilla.redhat.com/show_bug.cgi?id=1326205
Vendor advisory: secalert@redhat.com — http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182959.html
Vendor advisory: secalert@redhat.com — http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182850.html
Vendor advisory: secalert@redhat.com — http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182551.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| fedora | 22 | affected | |
| fedora | 23 | affected | |
| fedora | 24 | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.springframework.amqp:spring-amqp | <1.5.5 | 1.5.5 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| vmware | spring_advanced_message_queuing_protocol | {"endExcluding":"1.5.5"} | 1.5.5 |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182551.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182850.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182959.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1326205
- https://pivotal.io/security/cve-2016-2173
- https://nvd.nist.gov/vuln/detail/CVE-2016-2173
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.