CVE-2016-9877

high-risk
Published 2016-12-29

An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

Do I need to act?

-
0.33% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq Server
Rabbitmq
Rabbitmq
Rabbitmq
Rabbitmq
Rabbitmq
Rabbitmq
Rabbitmq
Rabbitmq

Affected Vendors

Broadcom Pivotal Software

References (8)

http://www.debian.org/security/2017/dsa-3761
http://www.securityfocus.com/bid/95065
Mitigation https://pivotal.io/security/cve-2016-9877
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpe...
http://www.debian.org/security/2017/dsa-3761
http://www.securityfocus.com/bid/95065
Mitigation https://pivotal.io/security/cve-2016-9877
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpe...
61
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 1/34 · Minimal
Exposure 28/34 · Critical