Information Disclosure in Apache Qpid Broker for Java Authentication Providers
CVE-2016-8741

7.5HIGH

Key Information:

Vendor

Apache
Status
Apache Qpid Broker-j
Vendor
CVE Published:
15 May 2017

What is CVE-2016-8741?

The Apache Qpid Broker for Java is vulnerable due to its handling of user authentication via SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProviders. When the provided username does not exist, these AuthenticationProviders can prematurely terminate the SASL negotiation. This flaw enables a remote attacker to ascertain the existence of user accounts, compromising the confidentiality of user credentials and potentially exposing sensitive information. It is important to note that this vulnerability does not extend to other AuthenticationProviders outside SCRAM-SHA-1 and SCRAM-SHA-256.

Affected Version(s)

Apache Qpid Broker-J 6.0.1, 6.0.2, 6.0.3, 6.0.4, and 6.0.5

Apache Qpid Broker-J 6.1.0

References

http://www.securitytracker.com/id/1037537
vdb-entryx_refsource_SECTRACK
https://issues.apache.org/jira/browse/QPID-7599
x_refsource_CONFIRM
http://www.securityfocus.com/bid/95136
vdb-entryx_refsource_BID

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.