Published: 15/05/2017 Updated: 22/05/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It exists that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x prior to 6.0.6 and 6.1.x prior to 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote malicious user to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache qpid broker-j 6.0.1
apache qpid broker-j 6.0.2
apache qpid broker-j 6.0.3
apache qpid broker-j 6.0.4
apache qpid broker-j 6.0.5
apache qpid broker-j 6.1.0

CWE-200 https://issues.apache.org/jira/browse/QPID-7599 http://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.html http://www.securityfocus.com/bid/95136 http://www.securitytracker.com/id/1037537 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2016-8741

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect