CVSS: 7.4EPSS: 0%CPEs: 33EXPL: 0CVE-2019-0223 – qpid-proton: TLS Man in the Middle Vulnerability
https://notcve.org/view.php?id=CVE-2019-0223
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic. Mientras investigábamos el error PROTON-2014, descubrimos que en algunas circunstancias las versiones de Apache Qpid Proton 0.9 a 0.27.0 (librería de C y sus adaptaciones de lenguaje) pueden conectarse a un peer de forma anónima utilizando TLS *incluso cuando está configurado para verificar el certificado del peer* mientras se utiliza con versiones de OpenSSL anteriores a la 1.1.0. Esto significa que un ataque man in the middle podría ser construido si un atacante puede interceptar el tráfico TLS. A cryptographic weakness was discovered in qpid-proton's use of TLS. • http://www.openwall.com/lists/oss-security/2019/04/23/4 http://www.securityfocus.com/bid/108044 https://access.redhat.com/errata/RHSA-2019:0886 https://access.redhat.com/errata/RHSA-2019:1398 https://access.redhat.com/errata/RHSA-2019:1399 https://access.redhat.com/errata/RHSA-2019:1400 https://access.redhat.com/errata/RHSA-2019:2777 https://access.redhat.com/errata/RHSA-2019:2778 https://access.redhat.com/errata/RHSA-2019:2779 https://access.redhat.com/errata/ • CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5183 – Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ
https://notcve.org/view.php?id=CVE-2015-5183
Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ. Consola: Atributos de HTTPOnly y Secure no establecidos en las cookies de Red Hat AMQ. It was found that Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user. • http://www.securitytracker.com/id/1041750 https://access.redhat.com/errata/RHSA-2018:2840 https://bugzilla.redhat.com/show_bug.cgi?id=1249182 https://lists.apache.org/thread.html/9e3391878c6840b294155f7ba6ccb47586e317f85c1bbd15c4608bd0%40%3Cdev.activemq.apache.org%3E https://lists.apache.org/thread.html/r51c60b28154fe7b634e5f5b7a7fc7f6f060487b39a7b5e95e2c32047%40%3Cdev.activemq.apache.org%3E https://lists.apache.org/thread.html/r63480b481eb5922465da102d97d0906d8823687f99ef3255ebc32be8%40%3Cdev.activemq.apache.org%3E https://lists.apache.org/thread& •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5184 – Console: CORS headers set to allow all in Red Hat AMQ
https://notcve.org/view.php?id=CVE-2015-5184
Console: CORS headers set to allow all in Red Hat AMQ. Consola: Las cabeceras de CORS están preparadas para permitir a todos los de Red Hat AMQ. It was found that the Hawtio console setting for the Access-Control-Allow-Origin header permits unrestricted sharing (allow all). An attacker could use this flaw to access sensitive information or perform other attacks. • https://bugzilla.redhat.com/show_bug.cgi?id=1249183 https://lists.apache.org/thread.html/9e3391878c6840b294155f7ba6ccb47586e317f85c1bbd15c4608bd0%40%3Cdev.activemq.apache.org%3E https://lists.apache.org/thread.html/rb280e767ab199767e07a367f287ba08a9692fa76e2da4a20d50d07c4%40%3Cdev.activemq.apache.org%3E https://access.redhat.com/security/cve/CVE-2015-5184 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5182
https://notcve.org/view.php?id=CVE-2015-5182
Cross-site request forgery (CSRF) vulnerability in the jolokia API in A-MQ. Existe una vulnerabilidad de Cross-Site Request Forgery (CSRF) en la API jolokia en A-MQ. • https://bugzilla.redhat.com/show_bug.cgi?id=1248809 https://lists.apache.org/thread.html/9e3391878c6840b294155f7ba6ccb47586e317f85c1bbd15c4608bd0%40%3Cdev.activemq.apache.org%3E https://lists.apache.org/thread.html/rb280e767ab199767e07a367f287ba08a9692fa76e2da4a20d50d07c4%40%3Cdev.activemq.apache.org%3E • CWE-352: Cross-Site Request Forgery (CSRF) •