CVE-2016-3094
MEDIUMApache Qpid Broker-J < 6.0.2 and qpid-broker < 6.0.3 - Denial of Service via Crafted Authentication Attempt
Title source: llmDescription
PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.
References (7)
Core 7
Core References
Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/QPID-7271
Release Notes x_refsource_confirm
https://svn.apache.org/viewvc?view=revision&revision=1744403
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1035982
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/137215/Apache-Qpid-Java-Broker-6.0.2-Denial-Of-Service.html
Release Notes x_refsource_confirm
http://qpid.apache.org/releases/qpid-java-6.0.3/release-notes.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/538507/100/0/threaded
Vendor Advisory mailing-list
x_refsource_mlist
http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3C5748641A.2050701%40gmail.com%3E
Scores
CVSS v3
5.9
EPSS
0.0098
EPSS Percentile
77.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
CWE-287
Status
published
Products (2)
apache/qpid_broker-j
< 6.0.2
org.apache.qpid/qpid-broker
0 - 6.0.3Maven
Published
Jun 01, 2016
Tracked Since
Feb 18, 2026