598 matches found
[SECURITY] Fedora 44 Update: librabbitmq-0.17.0-1.fc44
This is a C-language AMQP client library for use with AMQP servers speaking protocol versions 0-9-1...
CVE-2026-57218 RabbitMQ: AMQP 0-9-1 in combination with OAuth 2: consumer persistence can lead to post-revocation message disclosure
RabbitMQ is a messaging and streaming broker. Prior to 4.2.6, RabbitMQ AMQP 0-9-1 allows an existing consumer to keep receiving messages after OAuth token expiry or connection.updatesecret refresh to reduced scopes because existing consumers are not canceled or reauthorized at delivery time after...
CVE-2026-57218 RabbitMQ: AMQP 0-9-1 in combination with OAuth 2: consumer persistence can lead to post-revocation message disclosure
RabbitMQ is a messaging and streaming broker. Prior to 4.2.6, RabbitMQ AMQP 0-9-1 allows an existing consumer to keep receiving messages after OAuth token expiry or connection.updatesecret refresh to reduced scopes because existing consumers are not canceled or reauthorized at delivery time after...
[SECURITY] Fedora 43 Update: librabbitmq-0.17.0-1.fc43
This is a C-language AMQP client library for use with AMQP servers speaking protocol versions 0-9-1...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the JmsBinding.extractBodyFromJms process when handling JMS ObjectMessages with the mapJmsMessage option enabled. An attacker can inject arbitrary Exchange state by publishing a crafted ObjectMessage...
[SECURITY] Fedora 43 Update: librabbitmq-0.16.0-1.fc43
This is a C-language AMQP client library for use with AMQP servers speaking protocol versions 0-9-1...
librabbitmq security update
An update is available for librabbitmq. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The librabbitmq packages provide an Advanced Message Queuing Protocol AMQ...
RLSA-2023:6482 Moderate: librabbitmq security update
The librabbitmq packages provide an Advanced Message Queuing Protocol AMQP client library that allows you to communicate with AMQP servers using protocol version 0-9-1. Security Fixes: rabbitmq-c/librabbitmq: Insecure credentials submission CVE-2023-35789 For more details about the security issue...
OESA-2026-2713 librabbitmq security update
This is a C-language AMQP client library for use with AMQP servers speaking protocol versions 0-9-1. Security Fixes: CVE-2026-44235 CVE-2026-44236...
Insecure Randomness
Overview Affected versions of this package are vulnerable to Insecure Randomness via the sendAndReceive function when using a fixed reply queue, due to correlation IDs being generated sequentially by an internal counter. An attacker can intercept or inject unauthorized replies by predicting...
EUVD-2026-35895
Correlation IDs for replies in the RabbitTemplate.sendAndReceive with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17...
CVE-2026-41714
Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri"amqps://..." without also calling setUseSSLtrue get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1....
CVE-2026-41714 In Spring AMQP the RabbitConnectionFactoryBean.setUri("amqps://...") bypasses secure SSL setup, uses TrustEverythingTrustManager
Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri"amqps://..." without also calling setUseSSLtrue get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1....
CVE-2026-41714 In Spring AMQP the RabbitConnectionFactoryBean.setUri("amqps://...") bypasses secure SSL setup, uses TrustEverythingTrustManager
Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri"amqps://..." without also calling setUseSSLtrue get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1....
CVE-2026-41701 In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues
Correlation IDs for replies in the RabbitTemplate.sendAndReceive with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17...
CVE-2026-41701
CVE-2026-41701 affects Spring AMQP (RabbitTemplate) where correlation IDs for replies on fixed reply queues are generated by an internal simple counter, making them predictable. This data from NVD/CVE listings confirms the issue affects multiple versions (2.4.0–2.4.17, 3.1.0–3.1.15, 3.2.0–3.2.10,...
CVE-2026-41701 In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues
Correlation IDs for replies in the RabbitTemplate.sendAndReceive with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17...
PT-2026-48317
Name of the Vulnerable Software and Affected Versions Spring AMQP versions 4.0.0 through 4.0.3 Spring AMQP versions 3.2.0 through 3.2.10 Spring AMQP versions 3.1.0 through 3.1.15 Spring AMQP versions 2.4.0 through 2.4.17 Description Applications that configure their broker connection using the...
cve-2026-41701 - MEDIUM - In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues
cve-2026-41701 - MEDIUM - In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues...
Spring Office Hours Podcast: S5E16 - May Release Train Shift & What's Coming in Spring Boot 4.1
Join Dan Vega and DaShaun Carter for the latest updates from the Spring Ecosystem. In this episode, Dan and DaShaun break down the recently announced shift of the May release train from May 11-22 to June 1-5, and what that means for your upgrade planning across the Spring portfolio. They also dig...