CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0CVE-2019-0200
https://notcve.org/view.php?id=CVE-2019-0200
06 Mar 2019 — A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated attacker to crash the broker instance by sending specially crafted commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and 0-10). Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J versions 7.0.7 or 7.1.1 or later. Se ha detectado una vulnerabilidad de d... • http://www.securityfocus.com/bid/107215 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8030
https://notcve.org/view.php?id=CVE-2018-8030
19 Jun 2018 — A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 are not affected. Se ha encontrado una vulnerabilidad de denegación de servicio (DoS) en Apache Qpid Broker-J desde la versión 7.0.0 hasta la 7.0.4 cuando los protocolos AMQP 0-8, 0-9 o 0-91 se emplean para public... • http://www.securitytracker.com/id/1041138 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 1%CPEs: 1EXPL: 0CVE-2018-1298
https://notcve.org/view.php?id=CVE-2018-1298
09 Feb 2018 — A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and HTTP connections are not affected. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called "Authentication Providers". Each Authentication Provider ca... • https://lists.apache.org/thread.html/d9087e9e57c9b6376754e2b4ea8cd5e9ae6449ed17fc384640c9c9e1%40%3Cusers.qpid.apache.org%3E • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2017-15702
https://notcve.org/view.php?id=CVE-2017-15702
01 Dec 2017 — In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentication provider that was configured on a different port. The attacker still needs valid credentials with the authentication provider on the spoofed port. This becomes an issue when the spoofed port has weaker authentication protection... • http://www.securityfocus.com/bid/102040 •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 0CVE-2017-15701
https://notcve.org/view.php?id=CVE-2017-15701
01 Dec 2017 — In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older AMQP protocols are not affected. En Apache Qpid Broker-J versiones 6.1.0 hasta 6.1.4 (inclusive), el broker no impone apropiadamente un tamaño máximo de trama en tramas AMQP versión 1.0. Un atacante remoto no autenticado podría expl... • http://www.securityfocus.com/bid/102041 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2016-8741 – Apache Qpid Broker for Java 6.1.0 Information Leak
https://notcve.org/view.php?id=CVE-2016-8741
28 Dec 2016 — The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The... • http://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3094 – Apache Qpid Java Broker 6.0.2 Denial of Service
https://notcve.org/view.php?id=CVE-2016-3094
27 May 2016 — PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception. PlainSaslServer.java en Apache Qpid Java en versiones anteriores a 6.0.3, cuando el broker está configurado para permitir contraseñas en texto plano, permite a atacantes remotos provocar una denegación de servicio (terminación del broker) a través... • http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3C5748641A.2050701%40gmail.com%3E • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4432 – Apache Qpid Java Broker 6.0.2 Authentication Bypass
https://notcve.org/view.php?id=CVE-2016-4432
27 May 2016 — The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. La manipulación de conexión AMQP 0-8, 0-9, 0-91 y 0-10 en Apache Qpid Java en versiones anteriores a 6.0.3 podría permitir a atacantes remotos eludir la autenticación y consecuentemente realizar acciones a través de vectores relacionados con el registro de estado de conexión. Apache Qpid ... • http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3CCAFEMS4tXDKYxKVMmU0zTb_7uzduoUS4_RePnUwz1tj%2BGQLNw5Q%40mail.gmail.com%3E • CWE-287: Improper Authentication •