CVE-2016-10027
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2016-10027
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10027.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2016-10027
- Aliases
- Published
- 2017-01-12T23:59:00Z
- Modified
- 2025-09-19T08:05:34.867887Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response.
- References
-
- http://www.openwall.com/lists/oss-security/2016/12/22/12
- http://www.securityfocus.com/bid/95129
- https://community.igniterealtime.org/blogs/ignite/2016/11/22/smack-security-advisory-2016-11-22
- https://github.com/igniterealtime/Smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b
- https://github.com/igniterealtime/Smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04
- https://issues.igniterealtime.org/projects/SMACK/issues/SMACK-739
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4WXAZ4JVJXHMEDDXJVWJHPVBF5QCTZF/
Affected packages
Git / github.com/igniterealtime/smack
Affected ranges
- Type
- GIT
- Repo
- https://github.com/igniterealtime/smack
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
3.*
3.2.0
3.2.1
3.2.2
3.3.0
3.3.1
3.4.0
3.4.1
4.*
4.0.0
4.0.0-rc1
4.0.0-rc2
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2016-10027-06fbf3d9",
"signature_type": "Function",
"target": {
"file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java",
"function": "afterFeaturesReceived"
},
"digest": {
"function_hash": "162405135499676843498723261240332619144",
"length": 613.0
},
"source": "https://github.com/igniterealtime/smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2016-10027-1e5ffd5b",
"signature_type": "Line",
"target": {
"file": "smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java"
},
"digest": {
"line_hashes": [
"166226024168020727660184602193806048629",
"134948199378779160109233975183569890954",
"88605558302310824271088796799865826146",
"14077166349019321174812351201942193449",
"196297237499967699417146947985424409963",
"143526958666681977381140448716380814740",
"99703176059305289874607224791631730449"
],
"threshold": 0.9
},
"source": "https://github.com/igniterealtime/smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2016-10027-4e8eb18d",
"signature_type": "Function",
"target": {
"file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java",
"function": "afterFeaturesReceived"
},
"digest": {
"function_hash": "303702324975555651932198125445715319307",
"length": 636.0
},
"source": "https://github.com/igniterealtime/smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2016-10027-523b49c2",
"signature_type": "Line",
"target": {
"file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java"
},
"digest": {
"line_hashes": [
"169165723362371969906079582323103709165",
"280501319024056637306658523885183107917",
"18020907112047099829245576821518696304",
"240627559848030021121748567304378147354",
"332333226042827317214943537786066364099",
"199290523618971167177330769165687145391",
"65092875263612402192528360632512628801",
"161544113212455933578606938570874477318",
"140938908259842131552865931184605750599",
"301528483712289000439262402127736642927",
"289993717744099073860443219432424799689",
"153359517629275981173086730913140254612",
"35448886486458228967770196170700976014",
"79668453002046957122340393401129745130",
"66506745986681061004248498574039422429",
"6067295856158812641652920037044037853",
"121816103822801407743410083376309923825"
],
"threshold": 0.9
},
"source": "https://github.com/igniterealtime/smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2016-10027-69f52c21",
"signature_type": "Line",
"target": {
"file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java"
},
"digest": {
"line_hashes": [
"306837521746475039993216674962358218187",
"169165723362371969906079582323103709165",
"280501319024056637306658523885183107917",
"18020907112047099829245576821518696304",
"240627559848030021121748567304378147354",
"332333226042827317214943537786066364099",
"199290523618971167177330769165687145391",
"24717805826992675106772755207926354630",
"224757940918842535709031839122829159062",
"126014197207263318222156671962590120951",
"263888287788781693049202060486679464291",
"290556763773336523595440420038438474553",
"198194804144594308455886483219740415631",
"140575533528821972582816968326032047590",
"317515420276118892021599926880481693919",
"153359517629275981173086730913140254612",
"35448886486458228967770196170700976014",
"79668453002046957122340393401129745130",
"66506745986681061004248498574039422429",
"6067295856158812641652920037044037853",
"121816103822801407743410083376309923825"
],
"threshold": 0.9
},
"source": "https://github.com/igniterealtime/smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2016-10027-b4c9b071",
"signature_type": "Function",
"target": {
"file": "smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java",
"function": "connect"
},
"digest": {
"function_hash": "298171788203308993864096917965207290590",
"length": 341.0
},
"source": "https://github.com/igniterealtime/smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2016-10027-f38cc652",
"signature_type": "Function",
"target": {
"file": "smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java",
"function": "connectInternal"
},
"digest": {
"function_hash": "117259362260470440390437471825470891971",
"length": 256.0
},
"source": "https://github.com/igniterealtime/smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b",
"signature_version": "v1",
"deprecated": false
}
]
}