CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-0200
https://notcve.org/view.php?id=CVE-2019-0200
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated attacker to crash the broker instance by sending specially crafted commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and 0-10). Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J versions 7.0.7 or 7.1.1 or later. Se ha detectado una vulnerabilidad de denegación de servicio (DoS) en Apache Qpid Broker-J, desde la versión 6.0.0 hasta la 7.0.6 (inclusivas) y en la 7.10, que permite a un atacante no autenticado forzar el cierre de la instancia broker, enviando comandos especialmente manipulados mediante el protocolo AMQP en versiones anteriores a la 1.0 (AMQP 0-8, 0-9, 0-91 y 0-10). Los usuarios de Apache Qpid Broker-J, desde la versión 6.0.0 hasta la 7.0.6 (inclusivas) y en la 7.1.0, utilizando los protocolos AMQP 0-8, 0-9, 0-91, 0-10 deberán actualizar a las versiones de Qpid Broker-J 7.0.7 o 7.1.1 y posteriores. • http://www.securityfocus.com/bid/107215 https://lists.apache.org/thread.html/ac79d48de37d42b64da50384dbe9c8a329c5f553dd12ef7c28a832de%40%3Cusers.qpid.apache.org%3E •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8030
https://notcve.org/view.php?id=CVE-2018-8030
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 are not affected. Se ha encontrado una vulnerabilidad de denegación de servicio (DoS) en Apache Qpid Broker-J desde la versión 7.0.0 hasta la 7.0.4 cuando los protocolos AMQP 0-8, 0-9 o 0-91 se emplean para publicar mensajes con un tamaño mayor que el límite de tamaño de mensaje máximo permitido (100 MB por defecto). El broker se cierre inesperadamente debido a este defecto. • http://www.securitytracker.com/id/1041138 https://lists.apache.org/thread.html/1089a4f351a1bdca0618199e53bceeec59a10bf4e3008018d6949876%40%3Cusers.qpid.apache.org%3E • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1298
https://notcve.org/view.php?id=CVE-2018-1298
A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and HTTP connections are not affected. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called "Authentication Providers". Each Authentication Provider can support several SASL mechanisms which are offered to the connecting clients as part of SASL negotiation process. • https://lists.apache.org/thread.html/d9087e9e57c9b6376754e2b4ea8cd5e9ae6449ed17fc384640c9c9e1%40%3Cusers.qpid.apache.org%3E • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15701
https://notcve.org/view.php?id=CVE-2017-15701
In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older AMQP protocols are not affected. En Apache Qpid Broker-J versiones 6.1.0 hasta 6.1.4 (inclusive), el broker no impone apropiadamente un tamaño máximo de trama en tramas AMQP versión 1.0. Un atacante remoto no autenticado podría explotar esto para hacer que el broker agote toda la memoria disponible y finalmente termine. • http://www.securityfocus.com/bid/102041 https://issues.apache.org/jira/browse/QPID-7947 https://lists.apache.org/thread.html/4054e1c90993f337eeea24a312841c0661653e673c0ff8e2cd9520fe%40%3Cdev.qpid.apache.org%3E https://qpid.apache.org/cves/CVE-2017-15701.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2016-8741
https://notcve.org/view.php?id=CVE-2016-8741
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256. El Broker Qpid de Apache para Java puede ser configurado para usar diferentes llamados AuthenticationProviders para manejar la autenticación de usuarios. • http://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.html http://www.securityfocus.com/bid/95136 http://www.securitytracker.com/id/1037537 https://issues.apache.org/jira/browse/QPID-7599 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •