{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-04T09:24:54.114","vulnerabilities":[{"cve":{"id":"CVE-2018-17187","sourceIdentifier":"security@apache.org","published":"2018-11-13T15:29:00.313","lastModified":"2024-11-21T03:54:02.880","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise."},{"lang":"es","value":"El transporte de Apache Qpid Proton-J incluye una capa wrapper opcional para realizar TLS, habilitado por el uso de los métodos \"transport.ssl(...)\". A menos que hubiese un modo de verificación explícito, los modos cliente y servidor se consideraban por defecto como documentados para así no verificar el certificado peer, con opciones para configurar esto de forma explícita o seleccionar un modo de verificación de certificado con o sin un proceso de verificación de nombres de host. Este último modo de verificación de nombres de host no se implementó en Apache Qpid Proton-J, de la versión 0.3 a la 0.29.0; los intentos para emplearlo resultaron en una excepción. Esto solo dejó una opción para verificar que se confía en el certificado, dejando que el cliente sea vulnerable a un ataque Man-in-the-Middle (MitM). Los usos del motor del protocolo Proton-J que no emplean el wrapper opcional de transporte TLS no se han visto impactados (p. ej., su uso en Qpid JMS). Los usos de Proton-J que empleen la capa wrapper opcional de transporte TLS que deseen habilitar la verificación de nombres de host deben actualizarse a la versión 0.30.0 o posteriores y emplear la configuración VerifyMode#VERIFY_PEER_NAME, que ahora es la predeterminada para el uso del modo cliente a no ser que se configure de otra forma."}],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","baseScore":5.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-295"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:qpid_proton-j:*:*:*:*:*:*:*:*","versionStartIncluding":"0.3","versionEndIncluding":"0.29.0","matchCriteriaId":"62762E8D-905E-46EB-9C97-3CE19EB8443F"}]}]}],"references":[{"url":"http://www.securityfocus.com/bid/105935","source":"security@apache.org","tags":["Third Party Advisory","VDB Entry"]},{"url":"https://issues.apache.org/jira/browse/PROTON-1962","source":"security@apache.org","tags":["Vendor Advisory"]},{"url":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E","source":"security@apache.org","tags":["Mailing List","Mitigation","Vendor Advisory"]},{"url":"https://qpid.apache.org/cves/CVE-2018-17187.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.securityfocus.com/bid/105935","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"]},{"url":"https://issues.apache.org/jira/browse/PROTON-1962","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]},{"url":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Mitigation","Vendor Advisory"]},{"url":"https://qpid.apache.org/cves/CVE-2018-17187.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mitigation","Vendor Advisory"]}]}}]}