CVE-2016-3094

low-risk
Published 2016-06-01

PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.

Do I need to act?

-
0.99% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Qpid Broker-J

Affected Vendors

Apache

References (14)

Vendor Advisory http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3C5748641A.2050...
Third Party Advisory http://packetstormsecurity.com/files/137215/Apache-Qpid-Java-Broker-6.0.2-Denial...
Release Notes http://qpid.apache.org/releases/qpid-java-6.0.3/release-notes.html
Third Party Advisory http://www.securityfocus.com/archive/1/538507/100/0/threaded
Third Party Advisory http://www.securitytracker.com/id/1035982
Vendor Advisory https://issues.apache.org/jira/browse/QPID-7271
Release Notes https://svn.apache.org/viewvc?view=revision&revision=1744403
Vendor Advisory http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3C5748641A.2050...
Third Party Advisory http://packetstormsecurity.com/files/137215/Apache-Qpid-Java-Broker-6.0.2-Denial...
Release Notes http://qpid.apache.org/releases/qpid-java-6.0.3/release-notes.html
Third Party Advisory http://www.securityfocus.com/archive/1/538507/100/0/threaded
Third Party Advisory http://www.securitytracker.com/id/1035982
Vendor Advisory https://issues.apache.org/jira/browse/QPID-7271
Release Notes https://svn.apache.org/viewvc?view=revision&revision=1744403
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 3/34 · Minimal
Exposure 5/34 · Minimal