cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2019-0223,https://securityvulnerability.io/vulnerability/CVE-2019-0223,,"While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.",Apache,Apache Qpid Proton,7.4,HIGH,0.0019399999873712659,false,,false,false,false,,,false,false,,2019-04-23T15:57:07.000Z,0
CVE-2019-0200,https://securityvulnerability.io/vulnerability/CVE-2019-0200,,"A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated attacker to crash the broker instance by sending specially crafted commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and 0-10). Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J versions 7.0.7 or 7.1.1 or later.",Apache,Apache Qpid Broker-j,7.5,HIGH,0.0015399999683722854,false,,false,false,false,,,false,false,,2019-03-06T18:29:00.000Z,0
CVE-2018-17187,https://securityvulnerability.io/vulnerability/CVE-2018-17187,,"The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise.",Apache,Apache Qpid Proton-j,7.4,HIGH,0.0015800000401213765,false,,false,false,false,,,false,false,,2018-11-13T15:00:00.000Z,0
CVE-2018-8030,https://securityvulnerability.io/vulnerability/CVE-2018-8030,,"A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 are not affected.",Apache,Apache Qpid Broker-j,7.5,HIGH,0.0008699999889358878,false,,false,false,false,,,false,false,,2018-06-20T01:29:00.000Z,0
CVE-2015-0203,https://securityvulnerability.io/vulnerability/CVE-2015-0203,,"The qpidd broker in Apache Qpid 0.30 and earlier allows remote authenticated users to cause a denial of service (daemon crash) via an AMQP message with (1) an invalid range in a sequence set, (2) content-bearing methods other than message-transfer, or (3) a session-gap control before a corresponding session-attach.",Apache,Qpid,6.5,MEDIUM,0.06159000098705292,false,,false,false,false,,,false,false,,2018-02-21T15:00:00.000Z,0
CVE-2017-15699,https://securityvulnerability.io/vulnerability/CVE-2017-15699,,"A Denial of Service vulnerability was found in Apache Qpid Dispatch Router versions 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down.",Apache,Apache Qpid Dispatch Router,6.5,MEDIUM,0.0006900000153109431,false,,false,false,false,,,false,false,,2018-02-13T00:00:00.000Z,0
CVE-2018-1298,https://securityvulnerability.io/vulnerability/CVE-2018-1298,,"A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and HTTP connections are not affected. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called ""Authentication Providers"". Each Authentication Provider can support several SASL mechanisms which are offered to the connecting clients as part of SASL negotiation process. The client chooses the most appropriate SASL mechanism for authentication. Authentication Providers of following types supports PLAIN SASL mechanism: Plain, PlainPasswordFile, SimpleLDAP, Base64MD5PasswordFile, MD5, SCRAM-SHA-256, SCRAM-SHA-1. XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2. If an AMQP port is configured with any of these Authentication Providers, the Broker may be vulnerable.",Apache,Apache Qpid Broker-j,5.9,MEDIUM,0.0006099999882280827,false,,false,false,false,,,false,false,,2018-02-09T14:29:00.000Z,0
CVE-2017-15701,https://securityvulnerability.io/vulnerability/CVE-2017-15701,,In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older AMQP protocols are not affected.,Apache,Apache Qpid Broker-j,7.5,HIGH,0.006260000169277191,false,,false,false,false,,,false,false,,2017-12-01T15:29:00.000Z,0
CVE-2017-15702,https://securityvulnerability.io/vulnerability/CVE-2017-15702,,"In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentication provider that was configured on a different port. The attacker still needs valid credentials with the authentication provider on the spoofed port. This becomes an issue when the spoofed port has weaker authentication protection (e.g., anonymous access, default accounts) and is normally protected by firewall rules or similar which can be circumvented by this vulnerability. AMQP ports are not affected. Versions 6.0.0 and newer are not affected.",Apache,Apache Qpid Broker-j,9.8,CRITICAL,0.00494999997317791,false,,false,false,false,,,false,false,,2017-12-01T15:29:00.000Z,0
CVE-2015-0224,https://securityvulnerability.io/vulnerability/CVE-2015-0224,,qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203.,Apache,Qpid,7.5,HIGH,0.8348000049591064,false,,false,false,false,,,false,false,,2017-10-30T14:00:00.000Z,0
CVE-2016-8741,https://securityvulnerability.io/vulnerability/CVE-2016-8741,,The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.,Apache,Apache Qpid Broker-j,7.5,HIGH,0.0009800000116229057,false,,false,false,false,,,false,false,,2017-05-15T14:00:00.000Z,0
CVE-2016-4467,https://securityvulnerability.io/vulnerability/CVE-2016-4467,,"The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.",Apache,Qpid Proton,5.9,MEDIUM,0.00139999995008111,false,,false,false,false,,,false,false,,2017-05-02T14:00:00.000Z,0
CVE-2016-4432,https://securityvulnerability.io/vulnerability/CVE-2016-4432,,"The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.",Apache,Qpid Broker-j,9.1,CRITICAL,0.006719999946653843,false,,false,false,false,,,false,false,,2016-06-01T20:00:00.000Z,0
CVE-2016-3094,https://securityvulnerability.io/vulnerability/CVE-2016-3094,,"PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.",Apache,Qpid Broker-j,5.9,MEDIUM,0.010099999606609344,false,,false,false,false,,,false,false,,2016-06-01T20:00:00.000Z,0
CVE-2016-2166,https://securityvulnerability.io/vulnerability/CVE-2016-2166,,"The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.",Apache,Qpid Proton,6.5,MEDIUM,0.0007399999885819852,false,,false,false,false,,,false,false,,2016-04-12T14:00:00.000Z,0
CVE-2015-0223,https://securityvulnerability.io/vulnerability/CVE-2015-0223,,"Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling.",Apache,Qpid,,,0.006990000139921904,false,,false,false,false,,,false,false,,2015-02-02T16:00:00.000Z,0
CVE-2014-3629,https://securityvulnerability.io/vulnerability/CVE-2014-3629,,XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message.,Apache,Qpid,,,0.001979999942705035,false,,false,false,false,,,false,false,,2014-11-17T16:00:00.000Z,0
CVE-2012-4459,https://securityvulnerability.io/vulnerability/CVE-2012-4459,,"Integer overflow in the qpid::framing::Buffer::checkAvailable function in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (crash) via a crafted message, which triggers an out-of-bounds read.",Apache,Qpid,,,0.02102000080049038,false,,false,false,false,,,false,false,,2013-03-14T03:10:00.000Z,0
CVE-2012-4446,https://securityvulnerability.io/vulnerability/CVE-2012-4446,,"The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request.",Apache,Qpid,,,0.003160000080242753,false,,false,false,false,,,false,false,,2013-03-14T03:10:00.000Z,0
CVE-2012-4460,https://securityvulnerability.io/vulnerability/CVE-2012-4460,,"The serializing/deserializing functions in the qpid::framing::Buffer class in Apache Qpid 0.20 and earlier allow remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors.  NOTE: this issue could also trigger an out-of-bounds read, but it might not trigger a crash.",Apache,Qpid,,,0.004600000102072954,false,,false,false,false,,,false,false,,2013-03-14T03:10:00.000Z,0
CVE-2012-4458,https://securityvulnerability.io/vulnerability/CVE-2012-4458,,The AMQP type decoder in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (memory consumption and server crash) via a large number of zero width elements in the client-properties map in a connection.start-ok message.,Apache,Qpid,,,0.02102000080049038,false,,false,false,false,,,false,false,,2013-03-14T03:10:00.000Z,0
CVE-2012-2145,https://securityvulnerability.io/vulnerability/CVE-2012-2145,,"Apache Qpid 0.17 and earlier does not properly restrict incoming client connections, which allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of incomplete connections.",Apache,Qpid,,,0.031109999865293503,false,,false,false,false,,,false,false,,2012-09-28T15:00:00.000Z,0
CVE-2012-3467,https://securityvulnerability.io/vulnerability/CVE-2012-3467,,"Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication.",Apache,Qpid,,,0.002460000105202198,false,,false,false,false,,,false,false,,2012-08-27T23:55:00.000Z,0
CVE-2011-3620,https://securityvulnerability.io/vulnerability/CVE-2011-3620,,"Apache Qpid 0.12 does not properly verify credentials during the joining of a cluster, which allows remote attackers to obtain access to the messaging functionality and job functionality of a cluster by leveraging knowledge of a cluster-username.",Apache,Qpid,,,0.00675999978557229,false,,false,false,false,,,false,false,,2012-05-03T23:55:00.000Z,0
CVE-2009-5005,https://securityvulnerability.io/vulnerability/CVE-2009-5005,,"The Cluster::deliveredEvent function in cluster/Cluster.cpp in Apache Qpid, as used in Red Hat Enterprise MRG before 1.3 and other products, allows remote attackers to cause a denial of service (daemon crash and cluster outage) via invalid AMQP data.",Apache,"Qpid,Enterprise Mrg",,,0.007470000069588423,false,,false,false,false,,,false,false,,2010-10-18T16:00:00.000Z,0