16 matches found
CVE-2019-0223
CVE-2019-0223 concerns Apache Qpid Proton (C library and bindings) versions 0.9–0.27.0. Under TLS with OpenSSL versions before 1.1.0, a peer could be connected anonymously even when peer cert verification is configured, enabling a potential undetected man-in-the-middle attack if TLS traffic is in...
CVE-2012-4446
CVE-2012-4446 affects Apache Qpid qpidd 0.20 and earlier when federation_tag is enabled: the broker accepts AMQP connections without verifying the source user ID, enabling remote authentication bypass. Public details come from Red Hat RHSA-2013:0561/0562 notes and the OSV/GHSA entries, which desc...
CVE-2015-0203
CVE-2015-0203 affects the qpidd broker in Apache Qpid 0.30 and earlier. Root cause: mishandling of AMQP messages allows remote authenticated users to cause a denial of service (daemon crash) via (1) an invalid range in a sequence set, (2) content-bearing methods other than message-transfer, or (3...
CVE-2015-0224
CVE-2015-0224 affects qpidd (Apache Qpid) 0.30 and earlier. The vulnerability enables remote denial of service (daemon crash) via a crafted protocol sequence set, and exists due to an incomplete fix for CVE-2015-0203. Public details in connected assessors note the issue is tied to the qpidd broke...
CVE-2015-0223
The vulnerability CVE-2015-0223 affects Apache Qpid 0.30 and earlier, where remote attackers could bypass qpidd access restrictions due to issues in 0-10 connection handling. Impact is unauthorized access risk without explicit exploit details provided; affected components are the qpidd broker in ...
CVE-2011-3620
CVE-2011-3620 affects Apache Qpid prior to fixed releases; a flaw in the cluster-join credential verification allows remote attackers who know a valid cluster-username to obtain access to messaging and job functionality. Red Hat advisories (RHSA-2012:0528/0529) state the fix changes to the cluste...
CVE-2013-1909
The CVE-2013-1909 issue affects the Python client in Apache Qpid prior to version 2.2, which does not verify that the server hostname matches the certificate’s CN/subjectAltName. This enables MITM with arbitrary valid certificates. Red Hat RHSA-2013:1024 notes upgrading to enable proper TLS/SSL c...
CVE-2009-5005
CVE-2009-5005 affects Apache Qpid used in Red Hat Enterprise MRG Messaging and Grid before version 1.3. The vulnerability is in Cluster::deliveredEvent handling of AMQP data, allowing a remote attacker to trigger a denial of service (daemon crash and cluster outage) through invalid AMQP data. Red...
CVE-2012-4458
CVE-2012-4458 affects Apache Qpid up to version 0.20, where the AMQP type decoder could be triggered by a connection.start-ok message containing a large number of zero-width elements in the client-properties map, leading to memory consumption and a potential denial of service (server crash). Publ...
CVE-2009-5006
Apache Qpid's broker (C++ SessionAdapter::ExchangeHandlerImpl::checkAlternate) before version 0.6, used in Red Hat Enterprise MRG before 1.3, is affected. A remote authenticated user can trigger a NULL pointer dereference by attempting to redeclare an existing exchange while adding an alternate e...
CVE-2010-3083
The CVE-2010-3083 issue affects Red Hat Enterprise MRG Messaging (qpidd) when SSL is enabled. A flaw in how the SSL port is handled allows a remote attacker to cause a denial-of-service (daemon outage) by connecting to the SSL port without completing the SSL handshake. The vulnerability is addres...
CVE-2012-2145
CVE-2012-2145 affects Apache Qpid 0.17 and earlier. The vulnerability arises from insufficient restriction of incoming client connections, enabling remote attackers to cause a denial of service through file descriptor exhaustion by establishing a large number of incomplete connections. Public ref...
CVE-2012-3467
The CVE-2012-3467 issue affects Apache Qpid (qpidd) before the fixed updates, where the NullAuthenticator used for catch-up shadow connections allowed remote authentication bypass. Affected: Qpid components handling AMQP broker clustering (qpidd, and related messaging cluster setup). Root cause: ...
CVE-2012-4459
CVE-2012-4459 affects Apache Qpid 0.20 and earlier. The root cause is an integer overflow in qpid::framing::Buffer::checkAvailable(), leading to an out-of-bounds read and remote DoS (crash) via a crafted message. Public details in connected advisories confirm this issue and note that Red Hat’s RH...
CVE-2014-3629
The CVE-2014-3629 issue affects Apache Qpid’s qpidd with the XML Exchange module up to and including version 0.30. On parsing a message containing an XML body with a DTD, the broker may retrieve external entities, potentially causing the broker to initiate outgoing HTTP connections. Public refere...
CVE-2012-4460
The CVE-2012-4460 issue affects Apache Qpid (0.20 and earlier) in the qpid::framing::Buffer class’ serializing/deserializing functions. Affects the Buffer component, enabling remote denial of service (assertion failure and daemon exit) via unspecified vectors, with a note that it could trigger an...