CVE-2016-3094 — MEDIUM (5.9)

Q: How severe is CVE-2016-3094?

CVE-2016-3094 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-3094?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Qpid Broker-J.

Vulnerability Description

PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Qpid Broker-J	<= 6.0.2

Related Weaknesses (CWE)

CWE-20 CWE-287

References

http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3C5748641A.2050Vendor Advisory
http://packetstormsecurity.com/files/137215/Apache-Qpid-Java-Broker-6.0.2-DenialThird Party AdvisoryVDB Entry
http://qpid.apache.org/releases/qpid-java-6.0.3/release-notes.htmlRelease Notes
http://www.securityfocus.com/archive/1/538507/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1035982Third Party AdvisoryVDB Entry
https://issues.apache.org/jira/browse/QPID-7271Vendor Advisory
https://svn.apache.org/viewvc?view=revision&revision=1744403Release Notes
http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3C5748641A.2050Vendor Advisory
http://packetstormsecurity.com/files/137215/Apache-Qpid-Java-Broker-6.0.2-DenialThird Party AdvisoryVDB Entry
http://qpid.apache.org/releases/qpid-java-6.0.3/release-notes.htmlRelease Notes
http://www.securityfocus.com/archive/1/538507/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1035982Third Party AdvisoryVDB Entry
https://issues.apache.org/jira/browse/QPID-7271Vendor Advisory
https://svn.apache.org/viewvc?view=revision&revision=1744403Release Notes

FAQ

What is CVE-2016-3094?

CVE-2016-3094 is a vulnerability with a CVSS score of 5.9 (MEDIUM). PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a craft...

How severe is CVE-2016-3094?

CVE-2016-3094 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-3094?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Qpid Broker-J.