CVE-2016-10027

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-10027

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10027.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2016-10027

Aliases

GHSA-66pq-hqv5-228g

Published

2017-01-12T23:59:00Z

Modified

2025-10-15T07:52:07.780921Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response.

References

Affected packages

Git / github.com/igniterealtime/smack

Affected ranges

Type: GIT
Repo: https://github.com/igniterealtime/smack
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

059ee99ba0d5ff7758829acf5a9aeede09ec820b

Fixed

a9d5cd4a611f47123f9561bc5a81a4555fe7cb04

Affected versions

3.*

3.2.0

3.2.1

3.2.2

3.3.0

3.3.1

3.4.0

3.4.1

4.*

4.0.0

4.0.0-rc1

4.0.0-rc2

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "target": {
            "function": "afterFeaturesReceived",
            "file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java"
        },
        "source": "https://github.com/igniterealtime/smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b",
        "digest": {
            "length": 613.0,
            "function_hash": "162405135499676843498723261240332619144"
        },
        "deprecated": false,
        "id": "CVE-2016-10027-06fbf3d9",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java"
        },
        "source": "https://github.com/igniterealtime/smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04",
        "digest": {
            "line_hashes": [
                "166226024168020727660184602193806048629",
                "134948199378779160109233975183569890954",
                "88605558302310824271088796799865826146",
                "14077166349019321174812351201942193449",
                "196297237499967699417146947985424409963",
                "143526958666681977381140448716380814740",
                "99703176059305289874607224791631730449"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2016-10027-1e5ffd5b",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "target": {
            "function": "afterFeaturesReceived",
            "file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java"
        },
        "source": "https://github.com/igniterealtime/smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04",
        "digest": {
            "length": 636.0,
            "function_hash": "303702324975555651932198125445715319307"
        },
        "deprecated": false,
        "id": "CVE-2016-10027-4e8eb18d",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java"
        },
        "source": "https://github.com/igniterealtime/smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04",
        "digest": {
            "line_hashes": [
                "169165723362371969906079582323103709165",
                "280501319024056637306658523885183107917",
                "18020907112047099829245576821518696304",
                "240627559848030021121748567304378147354",
                "332333226042827317214943537786066364099",
                "199290523618971167177330769165687145391",
                "65092875263612402192528360632512628801",
                "161544113212455933578606938570874477318",
                "140938908259842131552865931184605750599",
                "301528483712289000439262402127736642927",
                "289993717744099073860443219432424799689",
                "153359517629275981173086730913140254612",
                "35448886486458228967770196170700976014",
                "79668453002046957122340393401129745130",
                "66506745986681061004248498574039422429",
                "6067295856158812641652920037044037853",
                "121816103822801407743410083376309923825"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2016-10027-523b49c2",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java"
        },
        "source": "https://github.com/igniterealtime/smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b",
        "digest": {
            "line_hashes": [
                "306837521746475039993216674962358218187",
                "169165723362371969906079582323103709165",
                "280501319024056637306658523885183107917",
                "18020907112047099829245576821518696304",
                "240627559848030021121748567304378147354",
                "332333226042827317214943537786066364099",
                "199290523618971167177330769165687145391",
                "24717805826992675106772755207926354630",
                "224757940918842535709031839122829159062",
                "126014197207263318222156671962590120951",
                "263888287788781693049202060486679464291",
                "290556763773336523595440420038438474553",
                "198194804144594308455886483219740415631",
                "140575533528821972582816968326032047590",
                "317515420276118892021599926880481693919",
                "153359517629275981173086730913140254612",
                "35448886486458228967770196170700976014",
                "79668453002046957122340393401129745130",
                "66506745986681061004248498574039422429",
                "6067295856158812641652920037044037853",
                "121816103822801407743410083376309923825"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2016-10027-69f52c21",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "target": {
            "function": "connect",
            "file": "smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java"
        },
        "source": "https://github.com/igniterealtime/smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04",
        "digest": {
            "length": 341.0,
            "function_hash": "298171788203308993864096917965207290590"
        },
        "deprecated": false,
        "id": "CVE-2016-10027-b4c9b071",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "target": {
            "function": "connectInternal",
            "file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java"
        },
        "source": "https://github.com/igniterealtime/smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b",
        "digest": {
            "length": 256.0,
            "function_hash": "117259362260470440390437471825470891971"
        },
        "deprecated": false,
        "id": "CVE-2016-10027-f38cc652",
        "signature_type": "Function"
    }
]