Vulnerability Description
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Broadcom | Rabbitmq Server | 3.0.0 |
| Pivotal Software | Rabbitmq | 3.5.4 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2017/dsa-3761
- http://www.securityfocus.com/bid/95065
- https://pivotal.io/security/cve-2016-9877MitigationVendor Advisory
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpe
- http://www.debian.org/security/2017/dsa-3761
- http://www.securityfocus.com/bid/95065
- https://pivotal.io/security/cve-2016-9877MitigationVendor Advisory
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpe
FAQ
What is CVE-2016-9877?
CVE-2016-9877 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport)...
How severe is CVE-2016-9877?
CVE-2016-9877 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-9877?
Check the references section above for vendor advisories and patch information. Affected products include: Broadcom Rabbitmq Server, Pivotal Software Rabbitmq.