Vulnerability Details : CVE-2014-9650
CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions.
Exploit prediction scoring system (EPSS) score for CVE-2014-9650
Probability of exploitation activity in the next 30 days: 0.40%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 70 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-9650
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
References for CVE-2014-9650
-
http://rhn.redhat.com/errata/RHSA-2016-0308.html
RHSA-2016:0308 - Security Advisory - Red Hat Customer Portal
-
https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
Google Groepen
-
http://www.openwall.com/lists/oss-security/2015/01/21/13
oss-security - CVE Request: XSS and response-splitting bugs in rabbitmq management pluginMailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/76091
RabbitMQ CVE-2014-9650 HTTP Response Splitting Vulnerability
-
http://www.rabbitmq.com/release-notes/README-3.4.1.txt
Vendor Advisory
Products affected by CVE-2014-9650
- cpe:2.3:a:vmware:rabbitmq:3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:2.8.4:*:*:*:*:*:*:*