org.apache.qpid:qpid-broker-core@6.0.4 vulnerabilities

latest version

9.2.0
latest non vulnerable version

9.2.0
first published

10 years ago
latest version published

2 months ago
licenses detected
- Apache-2.0
  [0.26,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.qpid:qpid-broker-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Information Exposure `org.apache.qpid:qpid-broker-core` Affected versions of the package are vulnerable to Information Exposure. The Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. Note: The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.	[6.0.0,6.0.6) [6.1.0,6.1.1)
M Improper Input Validation org.apache.qpid:qpid-broker-core is a package that manages Broker core functionality and initial configuration. Affected versions of this package are vulnerable to Improper Input Validation. In `PlainSaslServer.java`, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception. How to fix Improper Input Validation? Upgrade `org.apache.qpid:qpid-broker-core` to version 6.1.0 or higher.	[,6.1.0)

Information Exposure

org.apache.qpid:qpid-broker-core Affected versions of the package are vulnerable to Information Exposure. The Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts.

Note: The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.

[6.0.0,6.0.6) [6.1.0,6.1.1)

Improper Input Validation

org.apache.qpid:qpid-broker-core is a package that manages Broker core functionality and initial configuration.

Affected versions of this package are vulnerable to Improper Input Validation. In PlainSaslServer.java, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.

How to fix Improper Input Validation?

Upgrade org.apache.qpid:qpid-broker-core to version 6.1.0 or higher.

[,6.1.0)

Go back to all versions of this package

org.apache.qpid:qpid-broker-core@6.0.4 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities