Maven package
org.apache.qpid/qpid-broker
pkg:maven/org.apache.qpid/qpid-broker
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-15702 | Cri | 9.8 | >= 0.18, < 6.0.0 | 6.0.0 | Dec 1, 2017 | In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentica | |
| CVE-2017-15701 | Hig | 7.5 | >= 6.1.0, < 6.1.5 | 6.1.5 | Dec 1, 2017 | In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older | |
| CVE-2016-8741 | Hig | 7.5 | >= 6.0.0, < 6.0.6 | 6.0.6 | May 15, 2017 | The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache | |
| CVE-2016-3094 | Med | 5.9 | < 6.0.3 | 6.0.3 | Jun 1, 2016 | PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception. |
- affected >= 0.18, < 6.0.0fixed 6.0.0
In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentica
- affected >= 6.1.0, < 6.1.5fixed 6.1.5
In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older
- affected >= 6.0.0, < 6.0.6fixed 6.0.6
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache
- affected < 6.0.3fixed 6.0.3
PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.