CVSS: 5.9EPSS: 0%CPEs: 10EXPL: 0CVE-2016-4467
https://notcve.org/view.php?id=CVE-2016-4467
02 May 2017 — The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. El cliente en C y basado en C, en la librería Apache Qpid Proton anterior a la versión 0.13.1 en Windows no verifica co... • http://www.openwall.com/lists/oss-security/2016/07/15/3 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2016-8741 – Apache Qpid Broker for Java 6.1.0 Information Leak
https://notcve.org/view.php?id=CVE-2016-8741
28 Dec 2016 — The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The... • http://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4432 – Apache Qpid Java Broker 6.0.2 Authentication Bypass
https://notcve.org/view.php?id=CVE-2016-4432
27 May 2016 — The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. La manipulación de conexión AMQP 0-8, 0-9, 0-91 y 0-10 en Apache Qpid Java en versiones anteriores a 6.0.3 podría permitir a atacantes remotos eludir la autenticación y consecuentemente realizar acciones a través de vectores relacionados con el registro de estado de conexión. Apache Qpid ... • http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3CCAFEMS4tXDKYxKVMmU0zTb_7uzduoUS4_RePnUwz1tj%2BGQLNw5Q%40mail.gmail.com%3E • CWE-287: Improper Authentication •
CVSS: 5.9EPSS: 1%CPEs: 1EXPL: 0CVE-2016-3094 – Apache Qpid Java Broker 6.0.2 Denial of Service
https://notcve.org/view.php?id=CVE-2016-3094
27 May 2016 — PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception. PlainSaslServer.java en Apache Qpid Java en versiones anteriores a 6.0.3, cuando el broker está configurado para permitir contraseñas en texto plano, permite a atacantes remotos provocar una denegación de servicio (terminación del broker) a través... • http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3C5748641A.2050701%40gmail.com%3E • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-2166 – Apache Qpid Proton 0.12.0 SSL Failure
https://notcve.org/view.php?id=CVE-2016-2166
23 Mar 2016 — The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors. Las clases (1) proton.reactor.Connector, (2) proton.reactor.Container y (3) proton.utils.BlockingConnection en Apache Qpid Proton en versiones anter... • http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2015-0223 – qpid-cpp: anonymous access to qpidd cannot be prevented
https://notcve.org/view.php?id=CVE-2015-0223
26 Jan 2015 — Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling. Vulnerabilidad no especificada en Apache Qpid 0.30 y anteriores permite a atacantes remotos evadir las restricciones de acceso sobre qpidd a través de vectores desconocidos, relacionado con el manejo de conexiones 0-10. It was discovered that the Qpid daemon (qpidd) did not restrict access to anonymous users when the ANONYMOUS mech... • http://packetstormsecurity.com/files/130106/Apache-Qpid-0.30-Anonymous-Action-Prevention.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 56%CPEs: 1EXPL: 0CVE-2015-0224 – qpid-cpp: AMQP 0-10 protocol sequence-set maximal range DoS (incomplete CVE-2015-0203 fix)
https://notcve.org/view.php?id=CVE-2015-0224
26 Jan 2015 — qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203. qpidd en Apache Qpid 0.30 y anteriores permite que atacantes remotos provoquen una denegación de servicio (cierre inesperado del demonio) mediante un conjunto de secuencias de protocolo manipuladas. NOTA: Esta vulnerabilidad existe debido a una solución incompleta para CVE-2015-0203. A fl... • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178606.html • CWE-19: Data Processing Errors •
CVSS: 6.5EPSS: 11%CPEs: 1EXPL: 0CVE-2015-0203 – qpid-cpp: 3 qpidd DoS issues in AMQP 0-10 protocol handling
https://notcve.org/view.php?id=CVE-2015-0203
14 Jan 2015 — The qpidd broker in Apache Qpid 0.30 and earlier allows remote authenticated users to cause a denial of service (daemon crash) via an AMQP message with (1) an invalid range in a sequence set, (2) content-bearing methods other than message-transfer, or (3) a session-gap control before a corresponding session-attach. El broker qpidd Apache Qpid 0.30 y anteriores permite que usuarios autenticados remotos provoquen una denegación de servicio (cierre inesperado del demonio) mediante un mensaje AMQP con (1) un ra... • http://www.securityfocus.com/bid/72030 • CWE-19: Data Processing Errors •
CVSS: 9.1EPSS: 3%CPEs: 1EXPL: 0CVE-2014-3629 – Apache Qpid 0.30 Induced HTTP Requests
https://notcve.org/view.php?id=CVE-2014-3629
08 Nov 2014 — XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message. Vulnerabilidad de entidad externa XML (XXE) en el módulo XML Exchange en Apache Qpid 0.30 permite a atacantes remotos provocar conexiones HTTP salientes a través de un mensaje manipulado. Apache Qpid's qpidd versions 0.30 and below can be induced to make HTTP requests. • http://packetstormsecurity.com/files/129034/Apache-Qpid-0.30-Induced-HTTP-Requests.html • CWE-19: Data Processing Errors •
CVSS: 5.9EPSS: 0%CPEs: 17EXPL: 0CVE-2013-1909 – python-qpid: client does not validate qpid server TLS/SSL certificate
https://notcve.org/view.php?id=CVE-2013-1909
11 Jul 2013 — The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. El cliente Python en Apache Qpid anterior a v2.2 no verifica que el nombre del servidor coincide con un nombre de dominio en el nombre común del sujeto (CN) o el campo subjectAltName del certificado X.509, permitiendo a los... • http://qpid.apache.org/releases/qpid-0.22/release-notes.html • CWE-20: Improper Input Validation •