CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0212
https://notcve.org/view.php?id=CVE-2014-0212
qpid-cpp: ACL policies only loaded if the acl-file option specified enabling DoS by consuming all available file descriptors qpid-cpp: las políticas de ACL solo se cargan si la opción acl-file especificada habilita una DoS al consumir todos los descriptores de archivo disponibles. • https://access.redhat.com/security/cve/cve-2014-0212 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0212 https://security-tracker.debian.org/tracker/CVE-2014-0212 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2009-5004
https://notcve.org/view.php?id=CVE-2009-5004
qpid-cpp 1.0 crashes when a large message is sent and the Digest-MD5 mechanism with a security layer is in use . qpid-cpp versión 1.0, se bloquea cuando un mensaje largo se envía y está en uso el mecanismo Digest-MD5 con una capa de seguridad. • https://access.redhat.com/security/cve/cve-2009-5004 https://bugzilla.redhat.com/show_bug.cgi?id=501792 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-5004 https://security-tracker.debian.org/tracker/CVE-2009-5004 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 33EXPL: 0CVE-2019-0223 – qpid-proton: TLS Man in the Middle Vulnerability
https://notcve.org/view.php?id=CVE-2019-0223
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic. Mientras investigábamos el error PROTON-2014, descubrimos que en algunas circunstancias las versiones de Apache Qpid Proton 0.9 a 0.27.0 (librería de C y sus adaptaciones de lenguaje) pueden conectarse a un peer de forma anónima utilizando TLS *incluso cuando está configurado para verificar el certificado del peer* mientras se utiliza con versiones de OpenSSL anteriores a la 1.1.0. Esto significa que un ataque man in the middle podría ser construido si un atacante puede interceptar el tráfico TLS. A cryptographic weakness was discovered in qpid-proton's use of TLS. • http://www.openwall.com/lists/oss-security/2019/04/23/4 http://www.securityfocus.com/bid/108044 https://access.redhat.com/errata/RHSA-2019:0886 https://access.redhat.com/errata/RHSA-2019:1398 https://access.redhat.com/errata/RHSA-2019:1399 https://access.redhat.com/errata/RHSA-2019:1400 https://access.redhat.com/errata/RHSA-2019:2777 https://access.redhat.com/errata/RHSA-2019:2778 https://access.redhat.com/errata/RHSA-2019:2779 https://access.redhat.com/errata/ • CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-0200
https://notcve.org/view.php?id=CVE-2019-0200
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated attacker to crash the broker instance by sending specially crafted commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and 0-10). Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J versions 7.0.7 or 7.1.1 or later. Se ha detectado una vulnerabilidad de denegación de servicio (DoS) en Apache Qpid Broker-J, desde la versión 6.0.0 hasta la 7.0.6 (inclusivas) y en la 7.10, que permite a un atacante no autenticado forzar el cierre de la instancia broker, enviando comandos especialmente manipulados mediante el protocolo AMQP en versiones anteriores a la 1.0 (AMQP 0-8, 0-9, 0-91 y 0-10). Los usuarios de Apache Qpid Broker-J, desde la versión 6.0.0 hasta la 7.0.6 (inclusivas) y en la 7.1.0, utilizando los protocolos AMQP 0-8, 0-9, 0-91, 0-10 deberán actualizar a las versiones de Qpid Broker-J 7.0.7 o 7.1.1 y posteriores. • http://www.securityfocus.com/bid/107215 https://lists.apache.org/thread.html/ac79d48de37d42b64da50384dbe9c8a329c5f553dd12ef7c28a832de%40%3Cusers.qpid.apache.org%3E •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17187
https://notcve.org/view.php?id=CVE-2018-17187
The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. • http://www.securityfocus.com/bid/105935 https://issues.apache.org/jira/browse/PROTON-1962 https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E https://qpid.apache.org/cves/CVE-2018-17187.html • CWE-295: Improper Certificate Validation •