Description

An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

Related CPE's

a

pivotal_software

rabbitmq

44

a

vmware

rabbitmq

32

References

http://www.debian.org/security/2017/dsa-3761

http://www.securityfocus.com/bid/95065

https://pivotal.io/security/cve-2016-9877

MitigationVendor Advisory

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03880en_us

Weaknesses

[email protected]

Primary
CWE-284

CVSS impact metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 · Critical

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2016-12-29T09:59:00.790

8 years ago

Last modified

2022-03-17T14:02:06.730

3 years ago