Vulnerable Libraries - spring-amqp-1.1.0.RELEASE.jar, spring-amqp-2.0.0.RELEASE.jar, amqp-client-2.8.1.jar, amqp-client-5.0.0.jar, spring-rabbit-2.0.0.RELEASE.jar, spring-rabbit-1.1.0.RELEASE.jar, amqp-client-2.7.0.jar
spring-amqp-1.1.0.RELEASE.jar
Spring AMQP is framework that makes it easy to write Java applications for the Advanced Message Queue Protocol. It supports a variety of common high-level messaging patterns, like synchronous and asynchronous consumers, synchronous producers, automatic re-connection, transactions, batching. The emphasis is on declarative configuration and a POJO programming model without hiding the full power of the underlying protocol.
Library home page: http://www.springsource.org/spring-amqp
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.amqp/spring-amqp/1.1.0.RELEASE/d53434c48c9725e809c822df3a56d0d8d097ca0/spring-amqp-1.1.0.RELEASE.jar
Dependency Hierarchy:
- spring-rabbit-1.1.0.RELEASE.jar (Root Library)
- ❌ spring-amqp-1.1.0.RELEASE.jar (Vulnerable Library)
spring-amqp-2.0.0.RELEASE.jar
Spring AMQP Core
Library home page: https://projects.spring.io/spring-amqp
Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.amqp/spring-amqp/2.0.0.RELEASE/939a34155a2ec29f83aa65acfec91d5fdcc0e80a/spring-amqp-2.0.0.RELEASE.jar,/caches/modules-2/files-2.1/org.springframework.amqp/spring-amqp/2.0.0.RELEASE/939a34155a2ec29f83aa65acfec91d5fdcc0e80a/spring-amqp-2.0.0.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-amqp-2.0.0.RELEASE.jar (Vulnerable Library)
amqp-client-2.8.1.jar
RabbitMQ AMQP Java Client
Library home page: http://www.rabbitmq.com
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.rabbitmq/amqp-client/2.8.1/303d1a575baffa9e119b4a8a17e97f56630b34ef/amqp-client-2.8.1.jar,/caches/modules-2/files-2.1/com.rabbitmq/amqp-client/2.8.1/303d1a575baffa9e119b4a8a17e97f56630b34ef/amqp-client-2.8.1.jar
Dependency Hierarchy:
- ❌ amqp-client-2.8.1.jar (Vulnerable Library)
amqp-client-5.0.0.jar
The RabbitMQ Java client library allows Java applications to interface with RabbitMQ.
Library home page: http://www.rabbitmq.com
Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.rabbitmq/amqp-client/5.0.0/12c1f76ab5991556147ca35b85128521ebcfd093/amqp-client-5.0.0.jar
Dependency Hierarchy:
- spring-rabbit-2.0.0.RELEASE.jar (Root Library)
- ❌ amqp-client-5.0.0.jar (Vulnerable Library)
spring-rabbit-2.0.0.RELEASE.jar
Spring RabbitMQ Support
Library home page: https://projects.spring.io/spring-amqp
Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.springframework.amqp/spring-rabbit/2.0.0.RELEASE/4b58070f2da1485edb63a740dedb7c5994500bcd/spring-rabbit-2.0.0.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-rabbit-2.0.0.RELEASE.jar (Vulnerable Library)
spring-rabbit-1.1.0.RELEASE.jar
Spring AMQP is framework that makes it easy to write Java applications for the Advanced Message Queue Protocol. It supports a variety of common high-level messaging patterns, like synchronous and asynchronous consumers, synchronous producers, automatic re-connection, transactions, batching. The emphasis is on declarative configuration and a POJO programming model without hiding the full power of the underlying protocol.
Library home page: http://www.springsource.org/spring-amqp
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.springframework.amqp/spring-rabbit/1.1.0.RELEASE/bea52fc593b5b2abf70afa9e05ad5ca8e36f7a77/spring-rabbit-1.1.0.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-rabbit-1.1.0.RELEASE.jar (Vulnerable Library)
amqp-client-2.7.0.jar
RabbitMQ AMQP Java Client
Library home page: http://www.rabbitmq.com
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/com.rabbitmq/amqp-client/2.7.0/54ac2d32f5f992abe6883cd5ae3c256bccc0117a/amqp-client-2.7.0.jar
Dependency Hierarchy:
- ❌ amqp-client-2.7.0.jar (Vulnerable Library)
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11087
Release Date: 2018-09-11
Fix Resolution (org.springframework.amqp:spring-amqp): 1.7.10.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.10.RELEASE
Fix Resolution (com.rabbitmq:amqp-client): 5.4.1
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
CVE-2018-11087 - Medium Severity Vulnerability
spring-amqp-1.1.0.RELEASE.jar
Spring AMQP is framework that makes it easy to write Java applications for the Advanced Message Queue Protocol. It supports a variety of common high-level messaging patterns, like synchronous and asynchronous consumers, synchronous producers, automatic re-connection, transactions, batching. The emphasis is on declarative configuration and a POJO programming model without hiding the full power of the underlying protocol.
Library home page: http://www.springsource.org/spring-amqp
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.amqp/spring-amqp/1.1.0.RELEASE/d53434c48c9725e809c822df3a56d0d8d097ca0/spring-amqp-1.1.0.RELEASE.jar
Dependency Hierarchy:
spring-amqp-2.0.0.RELEASE.jar
Spring AMQP Core
Library home page: https://projects.spring.io/spring-amqp
Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.amqp/spring-amqp/2.0.0.RELEASE/939a34155a2ec29f83aa65acfec91d5fdcc0e80a/spring-amqp-2.0.0.RELEASE.jar,/caches/modules-2/files-2.1/org.springframework.amqp/spring-amqp/2.0.0.RELEASE/939a34155a2ec29f83aa65acfec91d5fdcc0e80a/spring-amqp-2.0.0.RELEASE.jar
Dependency Hierarchy:
amqp-client-2.8.1.jar
RabbitMQ AMQP Java Client
Library home page: http://www.rabbitmq.com
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.rabbitmq/amqp-client/2.8.1/303d1a575baffa9e119b4a8a17e97f56630b34ef/amqp-client-2.8.1.jar,/caches/modules-2/files-2.1/com.rabbitmq/amqp-client/2.8.1/303d1a575baffa9e119b4a8a17e97f56630b34ef/amqp-client-2.8.1.jar
Dependency Hierarchy:
amqp-client-5.0.0.jar
The RabbitMQ Java client library allows Java applications to interface with RabbitMQ.
Library home page: http://www.rabbitmq.com
Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.rabbitmq/amqp-client/5.0.0/12c1f76ab5991556147ca35b85128521ebcfd093/amqp-client-5.0.0.jar
Dependency Hierarchy:
spring-rabbit-2.0.0.RELEASE.jar
Spring RabbitMQ Support
Library home page: https://projects.spring.io/spring-amqp
Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.springframework.amqp/spring-rabbit/2.0.0.RELEASE/4b58070f2da1485edb63a740dedb7c5994500bcd/spring-rabbit-2.0.0.RELEASE.jar
Dependency Hierarchy:
spring-rabbit-1.1.0.RELEASE.jar
Spring AMQP is framework that makes it easy to write Java applications for the Advanced Message Queue Protocol. It supports a variety of common high-level messaging patterns, like synchronous and asynchronous consumers, synchronous producers, automatic re-connection, transactions, batching. The emphasis is on declarative configuration and a POJO programming model without hiding the full power of the underlying protocol.
Library home page: http://www.springsource.org/spring-amqp
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.springframework.amqp/spring-rabbit/1.1.0.RELEASE/bea52fc593b5b2abf70afa9e05ad5ca8e36f7a77/spring-rabbit-1.1.0.RELEASE.jar
Dependency Hierarchy:
amqp-client-2.7.0.jar
RabbitMQ AMQP Java Client
Library home page: http://www.rabbitmq.com
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/com.rabbitmq/amqp-client/2.7.0/54ac2d32f5f992abe6883cd5ae3c256bccc0117a/amqp-client-2.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.
Publish Date: 2018-09-14
URL: CVE-2018-11087
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11087
Release Date: 2018-09-11
Fix Resolution (org.springframework.amqp:spring-amqp): 1.7.10.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.10.RELEASE
Fix Resolution (com.rabbitmq:amqp-client): 5.4.1
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
⛑️ Automatic Remediation is available for this issue