Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-7599

[CVE-2016-8741] Prevent leaking information about the existence of user accounts in SCRAM-SHA256/SCRAM-SHA1 authentication providers

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: qpid-java-6.0.1, qpid-java-6.0.2, qpid-java-6.0.3, qpid-java-6.0.4, qpid-java-6.0.5, qpid-java-6.1
    • Component/s: Broker-J
    • Labels:
      None

      Description

      SCRAM-SHA256 and SCRAM-SHA1 authentication providers prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts.

      CVE-2016-8741 was raised for this issue.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              alex.rufous Alex Rudyy
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: