Exposure of Sensitive Information to an Unauthorized Actor in Apache Qpid Broker for Java

The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for...

Information Leakage

qpid-broker-core is vulnerable to information leakage. It is possible for a remote attacker to determine the existence of user accounts due to a prematurely termination SCRAM SASL negotiation. This vulnerability only applies for applications using the SCRAM-SHA-1 or SCAM-SHA-256...

Apache Qpid Broker For Java 6.1.0 Information Leak Vulnerability

The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders prematurely terminate the...

Default credentials

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of logi...