Published: 29/12/2016 Updated: 17/03/2022

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

An issue exists in Pivotal RabbitMQ 3.x prior to 3.5.8 and 3.6.x prior to 3.6.6 and RabbitMQ for PCF 1.5.x prior to 1.5.20, 1.6.x prior to 1.6.12, and 1.7.x prior to 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

Vulnerable Product	Search on Vulmon	Subscribe to Product
vmware rabbitmq 3.5.2
vmware rabbitmq 3.5.3
pivotal software rabbitmq 3.5.4
pivotal software rabbitmq 3.6.3
pivotal software rabbitmq 3.6.4
vmware rabbitmq 3.1.0
vmware rabbitmq 3.1.1
vmware rabbitmq 3.2.2
vmware rabbitmq 3.2.3
vmware rabbitmq 3.2.4
vmware rabbitmq 3.4.0
vmware rabbitmq 3.4.1
pivotal software rabbitmq 3.5.5
vmware rabbitmq 3.5.6
pivotal software rabbitmq 3.6.5
vmware rabbitmq 3.0.0
vmware rabbitmq 3.1.2
vmware rabbitmq 3.1.3
vmware rabbitmq 3.3.0
vmware rabbitmq 3.3.1
vmware rabbitmq 3.4.2
vmware rabbitmq 3.4.3
vmware rabbitmq 3.5.0
vmware rabbitmq 3.5.1
pivotal software rabbitmq 3.6.1
pivotal software rabbitmq 3.6.2
vmware rabbitmq 3.0.3
vmware rabbitmq 3.0.4
vmware rabbitmq 3.2.0
vmware rabbitmq 3.2.1
vmware rabbitmq 3.3.4
vmware rabbitmq 3.3.5
vmware rabbitmq 3.4.4
pivotal software rabbitmq 3.5.7
pivotal software rabbitmq 3.6.0
vmware rabbitmq 3.0.1
vmware rabbitmq 3.0.2
vmware rabbitmq 3.1.4
vmware rabbitmq 3.1.5
vmware rabbitmq 3.3.2
vmware rabbitmq 3.3.3
pivotal software rabbitmq 1.5.13
pivotal software rabbitmq 1.5.11
pivotal software rabbitmq 1.5.10
pivotal software rabbitmq 1.5.3
pivotal software rabbitmq 1.5.2
pivotal software rabbitmq 1.6.4
pivotal software rabbitmq 1.6.3
pivotal software rabbitmq 1.7.3
pivotal software rabbitmq 1.7.2
pivotal software rabbitmq 1.5.18
pivotal software rabbitmq 1.5.17
pivotal software rabbitmq 1.5.9
pivotal software rabbitmq 1.5.8
pivotal software rabbitmq 1.5.1
pivotal software rabbitmq 1.6.10
pivotal software rabbitmq 1.6.9
pivotal software rabbitmq 1.6.2
pivotal software rabbitmq 1.6.1
pivotal software rabbitmq 1.7.0
pivotal software rabbitmq 1.5.0
pivotal software rabbitmq 1.5.12
pivotal software rabbitmq 1.5.5
pivotal software rabbitmq 1.5.4
pivotal software rabbitmq 1.6.6
pivotal software rabbitmq 1.6.5
pivotal software rabbitmq 1.7.5
pivotal software rabbitmq 1.7.4
pivotal software rabbitmq 1.5.15
pivotal software rabbitmq 1.5.14
pivotal software rabbitmq 1.5.7
pivotal software rabbitmq 1.5.6
pivotal software rabbitmq 1.6.8
pivotal software rabbitmq 1.6.7
pivotal software rabbitmq 1.6.0
pivotal software rabbitmq 1.7.6

Debian Bug report logs - #849849 rabbitmq-server: CVE-2016-9877 Package: src:rabbitmq-server; Maintainer for src:rabbitmq-server is Debian OpenStack <team+openstack@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 1 Jan 2017 11:15:01 UTC Severity: grave Tags: security, upstream ...

RabbitMQ could allow unintended access to network services ...

CWE-284 https://pivotal.io/security/cve-2016-9877 http://www.securityfocus.com/bid/95065 http://www.debian.org/security/2017/dsa-3761 https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03880en_us https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849849 https://usn.ubuntu.com/3374-1/https://nvd.nist.gov

CVE-2016-9877

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect