PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| https://issues.apache.org/jira/browse/QPID-7271 | vendor advisory |
| https://svn.apache.org/viewvc?view=revision&revision=1744403 | release notes |
| http://www.securitytracker.com/id/1035982 | third party advisory vdb entry |
| http://packetstormsecurity.com/files/137215/Apache-Qpid-Java-Broker-6.0.2-Denial-Of-Service.html | third party advisory vdb entry |
| http://qpid.apache.org/releases/qpid-java-6.0.3/release-notes.html | release notes |
| http://www.securityfocus.com/archive/1/538507/100/0/threaded | mailing list third party advisory vdb entry |
| http://mail-archives.apache.org/mod_mbox/qpid-users/201605.mbox/%3C5748641A.2050701%40gmail.com%3E | vendor advisory mailing list |