Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-9877

An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

Published

2016-12-29T09:59:00.790

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-284

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	broadcom	rabbitmq_server	3.0.0	Yes
Application	broadcom	rabbitmq_server	3.0.1	Yes
Application	broadcom	rabbitmq_server	3.0.2	Yes
Application	broadcom	rabbitmq_server	3.0.3	Yes
Application	broadcom	rabbitmq_server	3.0.4	Yes
Application	broadcom	rabbitmq_server	3.1.0	Yes
Application	broadcom	rabbitmq_server	3.1.1	Yes
Application	broadcom	rabbitmq_server	3.1.2	Yes
Application	broadcom	rabbitmq_server	3.1.3	Yes
Application	broadcom	rabbitmq_server	3.1.4	Yes
Application	broadcom	rabbitmq_server	3.1.5	Yes
Application	broadcom	rabbitmq_server	3.2.0	Yes
Application	broadcom	rabbitmq_server	3.2.1	Yes
Application	broadcom	rabbitmq_server	3.2.2	Yes
Application	broadcom	rabbitmq_server	3.2.3	Yes
Application	broadcom	rabbitmq_server	3.2.4	Yes
Application	broadcom	rabbitmq_server	3.3.0	Yes
Application	broadcom	rabbitmq_server	3.3.1	Yes
Application	broadcom	rabbitmq_server	3.3.2	Yes
Application	broadcom	rabbitmq_server	3.3.3	Yes
Application	broadcom	rabbitmq_server	3.3.4	Yes
Application	broadcom	rabbitmq_server	3.3.5	Yes
Application	broadcom	rabbitmq_server	3.4.0	Yes
Application	broadcom	rabbitmq_server	3.4.1	Yes
Application	broadcom	rabbitmq_server	3.4.2	Yes
Application	broadcom	rabbitmq_server	3.4.3	Yes
Application	broadcom	rabbitmq_server	3.4.4	Yes
Application	broadcom	rabbitmq_server	3.5.0	Yes
Application	broadcom	rabbitmq_server	3.5.1	Yes
Application	broadcom	rabbitmq_server	3.5.2	Yes
Application	broadcom	rabbitmq_server	3.5.3	Yes
Application	broadcom	rabbitmq_server	3.5.6	Yes
Application	pivotal_software	rabbitmq	3.5.4	Yes
Application	pivotal_software	rabbitmq	3.5.5	Yes
Application	pivotal_software	rabbitmq	3.5.7	Yes
Application	pivotal_software	rabbitmq	3.6.0	Yes
Application	pivotal_software	rabbitmq	3.6.1	Yes
Application	pivotal_software	rabbitmq	3.6.2	Yes
Application	pivotal_software	rabbitmq	3.6.3	Yes
Application	pivotal_software	rabbitmq	3.6.4	Yes
Application	pivotal_software	rabbitmq	3.6.5	Yes
Application	pivotal_software	rabbitmq	1.5.0	Yes
Application	pivotal_software	rabbitmq	1.5.1	Yes
Application	pivotal_software	rabbitmq	1.5.2	Yes
Application	pivotal_software	rabbitmq	1.5.3	Yes
Application	pivotal_software	rabbitmq	1.5.4	Yes
Application	pivotal_software	rabbitmq	1.5.5	Yes
Application	pivotal_software	rabbitmq	1.5.6	Yes
Application	pivotal_software	rabbitmq	1.5.7	Yes
Application	pivotal_software	rabbitmq	1.5.8	Yes
Application	pivotal_software	rabbitmq	1.5.9	Yes
Application	pivotal_software	rabbitmq	1.5.10	Yes
Application	pivotal_software	rabbitmq	1.5.11	Yes
Application	pivotal_software	rabbitmq	1.5.12	Yes
Application	pivotal_software	rabbitmq	1.5.13	Yes
Application	pivotal_software	rabbitmq	1.5.14	Yes
Application	pivotal_software	rabbitmq	1.5.15	Yes
Application	pivotal_software	rabbitmq	1.5.17	Yes
Application	pivotal_software	rabbitmq	1.5.18	Yes
Application	pivotal_software	rabbitmq	1.6.0	Yes
Application	pivotal_software	rabbitmq	1.6.1	Yes
Application	pivotal_software	rabbitmq	1.6.2	Yes
Application	pivotal_software	rabbitmq	1.6.3	Yes
Application	pivotal_software	rabbitmq	1.6.4	Yes
Application	pivotal_software	rabbitmq	1.6.5	Yes
Application	pivotal_software	rabbitmq	1.6.6	Yes
Application	pivotal_software	rabbitmq	1.6.7	Yes
Application	pivotal_software	rabbitmq	1.6.8	Yes
Application	pivotal_software	rabbitmq	1.6.9	Yes
Application	pivotal_software	rabbitmq	1.6.10	Yes
Application	pivotal_software	rabbitmq	1.7.0	Yes
Application	pivotal_software	rabbitmq	1.7.2	Yes
Application	pivotal_software	rabbitmq	1.7.3	Yes
Application	pivotal_software	rabbitmq	1.7.4	Yes
Application	pivotal_software	rabbitmq	1.7.5	Yes
Application	pivotal_software	rabbitmq	1.7.6	Yes

References

http://www.debian.org/security/2017/dsa-3761 ([email protected])
http://www.securityfocus.com/bid/95065 ([email protected])
https://pivotal.io/security/cve-2016-9877 Mitigation, Vendor Advisory ([email protected])
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03880en_us ([email protected])
http://www.debian.org/security/2017/dsa-3761 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/95065 (af854a3a-2127-422b-91ae-364da2661108)
https://pivotal.io/security/cve-2016-9877 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03880en_us (af854a3a-2127-422b-91ae-364da2661108)