CVE-2016-8741

HIGH

Apache Qpid Broker for Java <6.0.6, <6.1.1 - Info Disclosure

Title source: llm

Description

The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.

Exploits (2)

nomisec WRITEUP

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2016-8741-qpid-broker-j-vulnerable

View Code ZIP pw:eip

nomisec WRITEUP

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2016-8741-qpid-broker-j-vulnerable

View Code ZIP pw:eip

References (4)

[Vendor Advisory] http://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.html

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95136

[Broken Link, Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1037537

[Issue Tracking] https://issues.apache.org/jira/browse/QPID-7599

Scores

CVSS v3 7.5

EPSS 0.0039

EPSS Percentile 60.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (9)

apache/qpid_broker-j 6.0.1

apache/qpid_broker-j 6.0.2

apache/qpid_broker-j 6.0.3

apache/qpid_broker-j 6.0.4

apache/qpid_broker-j 6.0.5

apache/qpid_broker-j 6.1.0

Apache Software Foundation/Apache Qpid Broker-J 6.0.1, 6.0.2, 6.0.3, 6.0.4, and 6.0.5

Apache Software Foundation/Apache Qpid Broker-J 6.1.0

org.apache.qpid/qpid-broker 6.0.0 - 6.0.6Maven

Published May 15, 2017

Tracked Since Feb 18, 2026