FKIE_CVE-2016-8741

Vulnerability from fkie_nvd - Published: 2017-05-15 14:29 - Updated: 2025-04-20 01:37
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.
References
security@apache.orghttp://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.htmlVendor Advisory
security@apache.orghttp://www.securityfocus.com/bid/95136Broken Link, Third Party Advisory, VDB Entry
security@apache.orghttp://www.securitytracker.com/id/1037537Broken Link, Third Party Advisory, VDB Entry
security@apache.orghttps://issues.apache.org/jira/browse/QPID-7599Issue Tracking
af854a3a-2127-422b-91ae-364da2661108http://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/95136Broken Link, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1037537Broken Link, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://issues.apache.org/jira/browse/QPID-7599Issue Tracking
Impacted products
Vendor Product Version
apache qpid_broker-j 6.0.1
apache qpid_broker-j 6.0.2
apache qpid_broker-j 6.0.3
apache qpid_broker-j 6.0.4
apache qpid_broker-j 6.0.5
apache qpid_broker-j 6.1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:qpid_broker-j:6.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "55070278-AC9D-410C-89E4-4C28EC8CAAB1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:qpid_broker-j:6.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6DA6ED9D-1219-4403-BDB3-A31DD0E6EA81",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:qpid_broker-j:6.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "49FDDDB5-C6B7-47D1-B77A-5AE62DA4BF92",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:qpid_broker-j:6.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FCAC788-0D15-47E5-AA36-6296D01AA35A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:qpid_broker-j:6.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "D6037734-4A04-4EA4-A6AE-81202A5C8DE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:qpid_broker-j:6.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "072FDAFD-73BF-4174-91DF-C22A7A80033B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256."
    },
    {
      "lang": "es",
      "value": "El Broker Qpid  de Apache para Java puede ser configurado para usar diferentes llamados AuthenticationProviders para manejar la autenticaci\u00f3n de usuarios. Entre las opciones se encuentran los tipos AuthenticationProviders SCRAM-SHA-1 y SCRAM-SHA-256. Se detect\u00f3 que estos AuthenticationProvider en Broker Qpid de Apache para Java versiones 6.0.x anteriores a 6.0.6 y versiones 6.1.x anteriores a 6.1.1, terminan prematuramente la negociaci\u00f3n SASL de SCRAM si el nombre de usuario proporcionado no permite a un atacante remoto determinar la existencia de cuentas de usuario. La vulnerabilidad no se aplica a AuthenticationProviders que no sean SCRAM-SHA-1 y SCRAM-SHA-256."
    }
  ],
  "id": "CVE-2016-8741",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-05-15T14:29:00.153",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/95136"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1037537"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://issues.apache.org/jira/browse/QPID-7599"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/95136"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1037537"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://issues.apache.org/jira/browse/QPID-7599"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.