Home
MEDIUM: 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:NDefault status
unaffected
4.0.0 (custom) before 4.0.4
affected
3.2.0 (custom) before 3.2.11
affected
3.1.0 (custom) before 3.1.16
affected
2.4.0 (custom) before 2.4.18
affected
Description
Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Problem types
CWE-295: Improper Certificate Validation
Product status
4.0.0 (custom) before 4.0.4
3.2.0 (custom) before 3.2.11
3.1.0 (custom) before 3.1.16
2.4.0 (custom) before 2.4.18
References
spring.io/security/cve-2026-41714