Page 2 of 8 results (0.007 seconds)

CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0

The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256. El Broker Qpid de Apache para Java puede ser configurado para usar diferentes llamados AuthenticationProviders para manejar la autenticación de usuarios. • http://qpid.2158936.n2.nabble.com/CVE-2016-8741-Apache-Qpid-Broker-for-Java-Information-Leakage-td7657025.html http://www.securityfocus.com/bid/95136 http://www.securitytracker.com/id/1037537 https://issues.apache.org/jira/browse/QPID-7599 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. La manipulación de conexión AMQP 0-8, 0-9, 0-91 y 0-10 en Apache Qpid Java en versiones anteriores a 6.0.3 podría permitir a atacantes remotos eludir la autenticación y consecuentemente realizar acciones a través de vectores relacionados con el registro de estado de conexión. • http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3CCAFEMS4tXDKYxKVMmU0zTb_7uzduoUS4_RePnUwz1tj%2BGQLNw5Q%40mail.gmail.com%3E http://packetstormsecurity.com/files/137216/Apache-Qpid-Java-Broker-6.0.2-Authentication-Bypass.html http://www.securityfocus.com/archive/1/538508/100/0/threaded http://www.securitytracker.com/id/1035983 https://issues.apache.org/jira/browse/QPID-7257 https://svn.apache.org/viewvc?view=revision&revision=1743161 https://svn.apache.org/viewvc?view=revision&revision= • CWE-287: Improper Authentication •

CVSS: 5.9EPSS: 1%CPEs: 1EXPL: 0

PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception. PlainSaslServer.java en Apache Qpid Java en versiones anteriores a 6.0.3, cuando el broker está configurado para permitir contraseñas en texto plano, permite a atacantes remotos provocar una denegación de servicio (terminación del broker) a través de un intento de autenticación manipulado, lo que desencadena una excepción no capturada. • http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3C5748641A.2050701%40gmail.com%3E http://packetstormsecurity.com/files/137215/Apache-Qpid-Java-Broker-6.0.2-Denial-Of-Service.html http://qpid.apache.org/releases/qpid-java-6.0.3/release-notes.html http://www.securityfocus.com/archive/1/538507/100/0/threaded http://www.securitytracker.com/id/1035982 https://issues.apache.org/jira/browse/QPID-7271 https://svn.apache.org/viewvc?view=revision&revision=1744403 • CWE-20: Improper Input Validation CWE-287: Improper Authentication •