Vulnerability Details : CVE-2016-9877
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
Vulnerability category: BypassGain privilege
Products affected by CVE-2016-9877
- cpe:2.3:a:vmware:rabbitmq:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:rabbitmq:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*
- cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-9877
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-9877
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2016-9877
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-9877
-
http://www.debian.org/security/2017/dsa-3761
Debian -- Security Information -- DSA-3761-1 rabbitmq-server
-
https://pivotal.io/security/cve-2016-9877
CVE-2016-9877 RabbitMQ authentication vulnerability | Security | PivotalMitigation;Vendor Advisory
-
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03880en_us
HPESBST03880 rev.1 - HPE XP P9000 Command View Advanced Edition (CVAE), Local and Remote Unauthorized Access to Sensitive Information
-
http://www.securityfocus.com/bid/95065
Pivotal RabbitMQ Products CVE-2016-9877 Authentication Bypass Vulnerability
Jump to