Lucene search
GoogleOSV:GHSA-8VVH-CRQV-JM64HistoryMay 17, 2022 - 2:24 a.m.
Exposure of Sensitive Information to an Unauthorized Actor in Apache Qpid Broker for Java
2022-05-1702:24:59
Google
osv.dev
14
0.001 Low
EPSS
Percentile
47.2%
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.
Related
veracode
veracode
Information Leakage
2016-12-30 01:09:32
nvd
nvd
CVE-2016-8741
2017-05-15 14:29:00
fedora
fedora
[SECURITY] Fedora 25 Update: qpid-java-6.0.4-5.fc25
2017-01-12 05:26:36
cvelist
cvelist
CVE-2016-8741
2017-05-15 14:00:00
nessus
nessus
Fedora 25 : qpid-java (2017-7b181f9c98)
2017-01-13 00:00:00
osv
osv
CVE-2016-8741
2017-05-15 14:29:00
openvas
openvas
Fedora Update for qpid-java FEDORA-2017-7b181f9c98
2017-01-13 00:00:00
github
github
cve
cve
CVE-2016-8741
2017-05-15 14:29:00
zdt
zdt
Apache Qpid Broker For Java 6.1.0 Information Leak Vulnerability
2016-12-29 00:00:00
redhatcve
redhatcve
CVE-2016-8741
2017-01-03 15:18:02
prion
prion
Authentication flaw
2017-05-15 14:29:00