CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 0CVE-2014-0212
https://notcve.org/view.php?id=CVE-2014-0212
13 Dec 2019 — qpid-cpp: ACL policies only loaded if the acl-file option specified enabling DoS by consuming all available file descriptors qpid-cpp: las políticas de ACL solo se cargan si la opción acl-file especificada habilita una DoS al consumir todos los descriptores de archivo disponibles. • https://access.redhat.com/security/cve/cve-2014-0212 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2009-5004
https://notcve.org/view.php?id=CVE-2009-5004
09 Nov 2019 — qpid-cpp 1.0 crashes when a large message is sent and the Digest-MD5 mechanism with a security layer is in use . qpid-cpp versión 1.0, se bloquea cuando un mensaje largo se envía y está en uso el mecanismo Digest-MD5 con una capa de seguridad. • https://access.redhat.com/security/cve/cve-2009-5004 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 33EXPL: 0CVE-2019-0223 – qpid-proton: TLS Man in the Middle Vulnerability
https://notcve.org/view.php?id=CVE-2019-0223
23 Apr 2019 — While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic. Mientras investigábamos el error PROTON-2014, descubrimos que en algunas circ... • http://www.openwall.com/lists/oss-security/2019/04/23/4 • CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0CVE-2019-0200
https://notcve.org/view.php?id=CVE-2019-0200
06 Mar 2019 — A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated attacker to crash the broker instance by sending specially crafted commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and 0-10). Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J versions 7.0.7 or 7.1.1 or later. Se ha detectado una vulnerabilidad de d... • http://www.securityfocus.com/bid/107215 •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17187
https://notcve.org/view.php?id=CVE-2018-17187
13 Nov 2018 — The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versio... • http://www.securityfocus.com/bid/105935 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8030
https://notcve.org/view.php?id=CVE-2018-8030
19 Jun 2018 — A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 are not affected. Se ha encontrado una vulnerabilidad de denegación de servicio (DoS) en Apache Qpid Broker-J desde la versión 7.0.0 hasta la 7.0.4 cuando los protocolos AMQP 0-8, 0-9 o 0-91 se emplean para public... • http://www.securitytracker.com/id/1041138 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-15699 – Interconnect: Denial of Service vulnerability in Red Hat JBoss AMQ Interconnect
https://notcve.org/view.php?id=CVE-2017-15699
13 Feb 2018 — A Denial of Service vulnerability was found in Apache Qpid Dispatch Router versions 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down. Se ha descubierto una vulnerabilidad de denegación de servicio (DoS) en Apache Qpid Dispatch Router 0.7.0 y 0.8.0. Para explotar esta vulnerabilidad, un usuario remoto debe poder establecer una conexión ... • http://www.securityfocus.com/bid/103067 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 1%CPEs: 1EXPL: 0CVE-2018-1298
https://notcve.org/view.php?id=CVE-2018-1298
09 Feb 2018 — A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and HTTP connections are not affected. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called "Authentication Providers". Each Authentication Provider ca... • https://lists.apache.org/thread.html/d9087e9e57c9b6376754e2b4ea8cd5e9ae6449ed17fc384640c9c9e1%40%3Cusers.qpid.apache.org%3E • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 0CVE-2017-15701
https://notcve.org/view.php?id=CVE-2017-15701
01 Dec 2017 — In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older AMQP protocols are not affected. En Apache Qpid Broker-J versiones 6.1.0 hasta 6.1.4 (inclusive), el broker no impone apropiadamente un tamaño máximo de trama en tramas AMQP versión 1.0. Un atacante remoto no autenticado podría expl... • http://www.securityfocus.com/bid/102041 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2017-15702
https://notcve.org/view.php?id=CVE-2017-15702
01 Dec 2017 — In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentication provider that was configured on a different port. The attacker still needs valid credentials with the authentication provider on the spoofed port. This becomes an issue when the spoofed port has weaker authentication protection... • http://www.securityfocus.com/bid/102040 •