8 matches found
CVE-2016-8741
Apache Qpid Broker for Java (6.0.x before 6.0.6; 6.1.x before 6.1.1) is affected. The SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProviders prematurely terminate SCRAM SASL negotiation when the provided username does not exist, enabling remote attackers to determine whether a user exists. The iss...
CVE-2017-15701
The CVE-2017-15701 entry applies to Apache Qpid Broker-J versions 6.1.0–6.1.4, where AMQP 1.0 frame size is not properly enforced, allowing a remote unauthenticated attacker to exhaust memory and cause DoS. A fix is available in 6.1.5 and later; upgrade to 6.1.5+ or apply the applicable mitigatio...
CVE-2017-15702
Apache Qpid Broker-J versions 0.18–0.32 are vulnerable to authentication port spoofing: if different authentication providers are configured on multiple ports and one is an HTTP port, a remote unauthenticated attacker connecting to the HTTP port can cause the broker to use the authentication prov...
CVE-2019-0200
Apache Qpid Broker-J is affected by a Denial of Service (DoS) vulnerability CVE-2019-0200 in versions 6.0.0–7.0.6 inclusive and 7.1.0. An unauthenticated attacker can crash the broker by sending specially crafted commands over AMQP protocol versions below 1.0 (0-8, 0-9, 0-91, 0-10). Remediation: ...
CVE-2018-8030
CVE-2018-8030 affects Apache Qpid Broker-J 7.0.0–7.0.4 when publishing AMQP messages larger than the default maximum (100 MB) using protocols 0-8, 0-9, or 0-91. The defect causes the broker to crash, representing a Denial of Service (DoS). Affected protocols 0-10 and 1.0 are not affected. The pro...
CVE-2016-4432
CVE-2016-4432 affects Apache Qpid Java broker before 6.0.3. The AMQP 0-8/0-9/0-91/0-10 connection handling could allow remote attackers to bypass authentication and perform actions via vectors related to connection state logging. The connected documents corroborate the vulnerability in the Java b...
CVE-2016-3094
CVE-2016-3094 - Affected software and root cause: Apache Qpid Java broker prior to 6.0.3, when configured to allow plaintext passwords, is vulnerable via the PlainSaslServer.java authentication path. An attacker can trigger an uncaught exception through a crafted authentication attempt, leading t...
CVE-2018-1298
CVE-2018-1298 describes a Denial of Service in Apache Qpid Broker-J 7.0.0 related to authentication of AMQP connections. The issue occurs when using PLAIN or XOAUTH2 SASL mechanisms during SASL negotiation, where unauthenticated attackers may crash the broker. Affected scope includes AMQP protoco...