CVE-2017-15702

Name: CVE-2017-15702
Creator: NVD / NIST
Published: 2017-12-01T15:29:00.26+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 6.21%

Last modified Jun 17, 2026

CVE-2017-15702 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentication provider that was configured on a different port. The attacker still needs valid credentials with the authentication provider on the spoofed port. EPSS estimates a 6.21% chance of exploitation in the next 30 days.

Description

In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentication provider that was configured on a different port. The attacker still needs valid credentials with the authentication provider on the spoofed port. This becomes an issue when the spoofed port has weaker authentication protection (e.g., anonymous access, default accounts) and is normally protected by firewall rules or similar which can be circumvented by this vulnerability. AMQP ports are not affected. Versions 6.0.0 and newer are not affected.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

6.21%

92.6th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Apache	Qpid Broker-J	>= 0.18, <= 0.32

References

http://www.securityfocus.com/bid/102040Third Party Advisory, VDB Entry
https://issues.apache.org/jira/browse/QPID-8039Vendor Advisory
https://lists.apache.org/thread.html/59d241e30db23b8b0af26bb273f789aa1f08515d3dc1a3868d3ba090%40%3Cdev.qpid.apache.org%3E
https://qpid.apache.org/cves/CVE-2017-15702.htmlVendor Advisory
http://www.securityfocus.com/bid/102040Third Party Advisory, VDB Entry
https://issues.apache.org/jira/browse/QPID-8039Vendor Advisory
https://lists.apache.org/thread.html/59d241e30db23b8b0af26bb273f789aa1f08515d3dc1a3868d3ba090%40%3Cdev.qpid.apache.org%3E
https://qpid.apache.org/cves/CVE-2017-15702.htmlVendor Advisory

Timeline

Published: Dec 1, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-15702?

How severe is CVE-2017-15702?

CVE-2017-15702 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 6.21% probability of exploitation in the next 30 days.

How do I fix CVE-2017-15702?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-15702?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST