PT-2016-7860 · Pivotal+4 · Rabbitmq+3
Published
2016-12-29
·
Updated
2025-04-02
·
CVE-2016-9877
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Pivotal RabbitMQ versions 3.x through 3.5.7
Pivotal RabbitMQ versions 3.6.x through 3.6.5
RabbitMQ for PCF versions 1.5.x through 1.5.19
RabbitMQ for PCF versions 1.6.x through 1.6.11
RabbitMQ for PCF versions 1.7.x through 1.7.6
Description
An issue was discovered where MQTT connection authentication with a username/password pair succeeds even if the password is omitted from the connection request, provided an existing username is given. This issue does not affect connections that use TLS with a client-provided certificate.
Recommendations
For Pivotal RabbitMQ versions 3.x through 3.5.7, update to version 3.5.8 or later.
For Pivotal RabbitMQ versions 3.6.x through 3.6.5, update to version 3.6.6 or later.
For RabbitMQ for PCF versions 1.5.x through 1.5.19, update to version 1.5.20 or later.
For RabbitMQ for PCF versions 1.6.x through 1.6.11, update to version 1.6.12 or later.
For RabbitMQ for PCF versions 1.7.x through 1.7.6, update to version 1.7.7 or later.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Rabbitmq
Suse
Ubuntu