// For flags

CVE-2012-2145

qpid-cpp: not closing incomplete connections exhausts file descriptors, leading to DoS

Severity Score

5.3
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache Qpid 0.17 and earlier does not properly restrict incoming client connections, which allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of incomplete connections.

Apache Qpid v0.17 y anteriores no restringe correctamente las conexiones entrantes de clientes, lo que permite a atacantes remotos provocar una denegación de servicio a través de un gran número de conexiones incompletas.

Apache Qpid is a reliable, cross-platform, asynchronous messaging system that supports the Advanced Message Queuing Protocol in several common programming languages. It was discovered that the Qpid daemon did not allow the number of connections from clients to be restricted. A malicious client could use this flaw to open an excessive amount of connections, preventing other legitimate clients from establishing a connection to qpidd. To address CVE-2012-2145, new qpidd configuration options were introduced: max-negotiate-time defines the time during which initial protocol negotiation must succeed, connection-limit-per-user and connection-limit-per-ip can be used to limit the number of connections per user and client host IP.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2012-04-04 CVE Reserved
  • 2012-09-20 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-399: Resource Management Errors
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Qpid
Search vendor "Apache" for product "Qpid"
 <= 0.17
Search vendor "Apache" for product "Qpid" and version " <= 0.17"
-
Affected
Apache
Search vendor "Apache"
 Qpid
Search vendor "Apache" for product "Qpid"
 0.6
Search vendor "Apache" for product "Qpid" and version "0.6"
-
Affected
Apache
Search vendor "Apache"
 Qpid
Search vendor "Apache" for product "Qpid"
 0.7
Search vendor "Apache" for product "Qpid" and version "0.7"
-
Affected
Apache
Search vendor "Apache"
 Qpid
Search vendor "Apache" for product "Qpid"
 0.8
Search vendor "Apache" for product "Qpid" and version "0.8"
-
Affected
Apache
Search vendor "Apache"
 Qpid
Search vendor "Apache" for product "Qpid"
 0.9
Search vendor "Apache" for product "Qpid" and version "0.9"
-
Affected
Apache
Search vendor "Apache"
 Qpid
Search vendor "Apache" for product "Qpid"
 0.10
Search vendor "Apache" for product "Qpid" and version "0.10"
-
Affected
Apache
Search vendor "Apache"
 Qpid
Search vendor "Apache" for product "Qpid"
 0.12
Search vendor "Apache" for product "Qpid" and version "0.12"
-
Affected
Apache
Search vendor "Apache"
 Qpid
Search vendor "Apache" for product "Qpid"
 0.14
Search vendor "Apache" for product "Qpid" and version "0.14"
-
Affected
Apache
Search vendor "Apache"
 Qpid
Search vendor "Apache" for product "Qpid"
 0.16
Search vendor "Apache" for product "Qpid" and version "0.16"
-
Affected