CVE-2016-8741

high

Apache

CVSS v3 Base Score

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.4%

Exploitation probability in 30 days

Top 40% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

High

Integrity

None

Availability

None

Published: May 15, 2017 (3286 days ago)

Last Modified: May 13, 2026

Vendor: Apache

Source: NVD

Description

The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.

CWE

CWE-200

Affected Products

apache qpid broker-j

References

🔗 qpid.2158936.n2.nabble.com 🔗 www.securityfocus.com 🔗 www.securitytracker.com 🔗 issues.apache.org 🔗 qpid.2158936.n2.nabble.com

CVE-2016-8741

Vulnerability Report

Description

CWE

Affected Products

References