282 matches found
RHEL 6 : qpid-cpp (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - qpid-cpp: anonymous access to qpidd cannot be prevented CVE-2015-0223 - qpid-cpp: AMQP 0-10 protocol...
RHEL 7 : qpid-cpp (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - qpid-cpp: anonymous access to qpidd cannot be prevented CVE-2015-0223 - qpid-cpp: AMQP 0-10 protocol...
K23675185: Apache Qpid vulnerabilities CVE-2016-3094 and CVE-2016-4432
Security Advisory Description CVE-2016-3094 PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service broker termination via a crafted authentication attempt, which triggers an uncaught...
SUSE CVE-2016-2166
The 1 proton.reactor.Connector, 2 proton.reactor.Container, and 3 proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain...
Withdrawn Advisory: Improper Certificate Validation in Apache Qpid Proton
Withdrawn Advisory This advisory has been withdrawn because the vulnerability only affects the Qpid Proton C library and not org.apache.qpid:proton-j. This link has been maintained to preserve external references. Original Description While investigating bug PROTON-2014, we discovered that under...
GHSA-MRGH-6X42-X6XF Improper Authentication in Apache Qpid
The default configuration for Apache Qpid 0.20 and earlier, when the federationtag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request...
Improper Authentication in Apache Qpid
The default configuration for Apache Qpid 0.20 and earlier, when the federationtag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request...
GHSA-8VVH-CRQV-JM64 Exposure of Sensitive Information to an Unauthorized Actor in Apache Qpid Broker for Java
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for...
Exposure of Sensitive Information to an Unauthorized Actor in Apache Qpid Broker for Java
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for...
GHSA-PHW8-FW9G-V3XC Apache QPID Allows Remote Authentication Bypass
Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication...
Apache QPID Allows Remote Authentication Bypass
Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication...
Improper Input Validation in Apache Qpid AMQP 0-x JMS
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS AMQP 1.0 before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a...
GHSA-3G2P-7C6P-VJ8C Apache Qpid Python client Improper certificate validation
The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...
Apache Qpid Python client Improper certificate validation
The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...
Denial Of Service (DoS)
apache qpid is vulnerable to denial of service. A flaw was found in the way Apache Qpid handled a request to redeclare an existing exchange while adding a new alternate exchange. If a remote, authenticated user issued such a request, the server would crash, resulting in the cluster shutting down...
Denial Of Service (DoS)
apache qpid is vulnerable to denial of service. A flaw was found in the way Apache Qpid handled the receipt of invalid AMQP data. A remote user could send invalid AMQP data to the server, causing it to crash, resulting in the cluster shutting down...
Denial Of Service (DoS)
Apache Qpid Dispatch Router is vulnerable to denial of service attacks. A remote, authenticated attacker could exploit the flawed JAMQP component to cause denial of service conditions via a specifically crafted AMQP frame which will cause a segfault and shut down...
Improper TLS Certificate Validation
Apache Qpid Proton is vulnerable to man-in-the-middle MitM attacks. A remote attacker is able to intercept TLS traffic as the application provides anonymous ciphers to authenticate a client regardless of the client's configuration to verify the server's certificate or hostname. The vulnerability ...
Code injection
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 C library and its language bindings can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before...
CVE-2019-0223
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 C library and its language bindings can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL versions before...