Search criteria
36 vulnerabilities found for rabbitmq by pivotal_software
FKIE_CVE-2020-5419
Vulnerability from fkie_nvd - Published: 2020-08-31 15:15 - Updated: 2025-04-02 14:13
Severity ?
Summary
RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code.
References
| URL | Tags | ||
|---|---|---|---|
| security@pivotal.io | https://tanzu.vmware.com/security/cve-2020-5419 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tanzu.vmware.com/security/cve-2020-5419 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| broadcom | rabbitmq_server | * | |
| pivotal_software | rabbitmq | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3294509D-9AD8-4BA0-B2B5-A61A3C59BB5D",
"versionEndExcluding": "3.8.7",
"versionStartIncluding": "3.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56069EBC-2F93-4786-9AE2-841A659FD9C0",
"versionEndExcluding": "3.7.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code."
},
{
"lang": "es",
"value": "RabbitMQ versiones 3.8.x anteriores a 3.8.7, son propensas a una vulnerabilidad de seguridad de plantaci\u00f3n de binario espec\u00edfico de Windows que permite una ejecuci\u00f3n de c\u00f3digo arbitraria. Un atacante con privilegios de escritura en el directorio de instalaci\u00f3n de RabbitMQ y acceso local en Windows podr\u00eda llevar a cabo un ataque de secuestro (plantaci\u00f3n) de binario local y ejecutar c\u00f3digo arbitrario"
}
],
"id": "CVE-2020-5419",
"lastModified": "2025-04-02T14:13:43.180",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.8,
"impactScore": 5.9,
"source": "security@pivotal.io",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-31T15:15:11.010",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-11287
Vulnerability from fkie_nvd - Published: 2019-11-23 00:15 - Updated: 2025-04-02 14:13
Severity ?
Summary
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| broadcom | rabbitmq_server | * | |
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| fedoraproject | fedora | 30 | |
| fedoraproject | fedora | 31 | |
| redhat | openstack | 15 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1454C45F-9056-4FDB-8E53-BAFDFB330F36",
"versionEndExcluding": "3.8.1",
"versionStartIncluding": "3.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9A203B97-4B5E-4851-BA2D-DC551F31F3D3",
"versionEndExcluding": "1.16.7",
"versionStartIncluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "A17844A1-5E52-4FB6-8261-BF32BA113733",
"versionEndExcluding": "1.17.4",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44D49187-912D-4F14-A2B4-BEEB9D278C9C",
"versionEndExcluding": "3.7.21",
"versionStartIncluding": "3.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:15:*:*:*:*:*:*:*",
"matchCriteriaId": "70108B60-8817-40B4-8412-796A592E4E5E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
},
{
"lang": "es",
"value": "Pivotal RabbitMQ, versiones 3.7.x anteriores a 3.7.21 y versiones 3.8.x anteriores a 3.8.1, y RabbitMQ para Pivotal Platform, versiones 1.16.x anteriores a 1.16.7 y versiones 1.17.x versiones anteriores a 1.17.4, contienen un plugin de administraci\u00f3n web que es vulnerable a un ataque de denegaci\u00f3n de servicio. El encabezado \"X-Reason\" de HTTP puede ser aprovechado para insertar una cadena de formato Erlang maliciosa que expandir\u00e1 y consumir\u00e1 la pila, resultando en el bloqueo del servidor."
}
],
"id": "CVE-2019-11287",
"lastModified": "2025-04-02T14:13:43.180",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "security@pivotal.io",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-23T00:15:10.683",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"source": "security@pivotal.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"source": "security@pivotal.io",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security@pivotal.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"source": "security@pivotal.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11287"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-134"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-11281
Vulnerability from fkie_nvd - Published: 2019-10-16 16:15 - Updated: 2024-11-21 04:20
Severity ?
Summary
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| redhat | openstack | 15 | |
| redhat | openstack_for_ibm_power | 15 | |
| debian | debian_linux | 9.0 | |
| fedoraproject | fedora | 30 | |
| fedoraproject | fedora | 31 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F377A9-A488-4C3C-97E4-3A2B9E4D84C8",
"versionEndExcluding": "3.7.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "96BAE006-3986-4FD0-A47F-A6EA310D2970",
"versionEndExcluding": "1.15.13",
"versionStartIncluding": "1.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "362E2727-D4D4-4A78-BA9E-DFC344005F6C",
"versionEndExcluding": "1.16.6",
"versionStartIncluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F467BF7B-8098-4C81-ACDE-ABD4E66B5753",
"versionEndExcluding": "1.17.3",
"versionStartIncluding": "1.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:15:*:*:*:*:*:*:*",
"matchCriteriaId": "70108B60-8817-40B4-8412-796A592E4E5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_for_ibm_power:15:*:*:*:*:*:*:*",
"matchCriteriaId": "05002836-7DD1-4EF1-8949-4AC8A2268672",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
},
{
"lang": "es",
"value": "Pivotal RabbitMQ, versiones anteriores a v3.7.18 y RabbitMQ for PCF, versiones 1.15.x anteriores a 1.15.13, versiones 1.16.x anteriores a 1.16.6 y versiones 1.17.x anteriores a 1.17.3, contienen dos componentes, la p\u00e1gina de l\u00edmites de host virtual y la UI de administraci\u00f3n federation que no sanean apropiadamente la entrada del usuario. Un usuario malicioso autenticado remoto con acceso administrativo podr\u00eda crear un ataque de tipo cross-site scripting que obtendr\u00eda acceso a hosts virtuales e informaci\u00f3n de gesti\u00f3n de pol\u00edticas."
}
],
"id": "CVE-2019-11281",
"lastModified": "2024-11-21T04:20:50.700",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 1.4,
"source": "security@pivotal.io",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T16:15:10.340",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"source": "security@pivotal.io",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security@pivotal.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"source": "security@pivotal.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11281"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-1279
Vulnerability from fkie_nvd - Published: 2018-12-10 19:29 - Updated: 2024-11-21 03:59
Severity ?
8.5 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.
References
| URL | Tags | ||
|---|---|---|---|
| security_alert@emc.com | https://pivotal.io/security/cve-2018-1279 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2018-1279 | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | rabbitmq | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8ECA11BE-4AD5-41B4-9828-037E3D36F94E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."
},
{
"lang": "es",
"value": "Pivotal RabbitMQ para PCF, en todas las versiones, emplea una cookie generada de forma determin\u00edstica compartida entre todas las m\u00e1quinas cuando se configura en un cl\u00faster multiinquilino. Un atacante remoto que pueda obtener informaci\u00f3n sobre la topolog\u00eda de la red puede adivinar esta cookie y, si tienen acceso a los puertos correctos en cualquier servidor del cl\u00faster MQ, puede emplear esta cookie para obtener el control total del cl\u00faster completo."
}
],
"id": "CVE-2018-1279",
"lastModified": "2024-11-21T03:59:31.903",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security_alert@emc.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-12-10T19:29:25.127",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2018-1279"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2018-1279"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-11087
Vulnerability from fkie_nvd - Published: 2018-09-14 20:29 - Updated: 2025-03-27 19:56
Severity ?
Summary
Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.
References
| URL | Tags | ||
|---|---|---|---|
| security_alert@emc.com | https://pivotal.io/security/cve-2018-11087 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2018-11087 | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:*:*:*:*:*:*:*:*",
"matchCriteriaId": "566164E6-65C1-4C27-99DB-16C4D0C6AB76",
"versionEndExcluding": "1.7.10",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41A3EA77-DF58-4670-8609-C0FA7A407C6E",
"versionEndExcluding": "2.0.6",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:rabbitmq_java_client:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CAB8F295-EA89-4565-AE6B-9B8BD193459A",
"versionEndExcluding": "4.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq_java_client:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C419AB2D-7C18-4F44-84A4-A4202D83AE44",
"versionEndExcluding": "5.4.0",
"versionStartIncluding": "4.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit."
},
{
"lang": "es",
"value": "Pivotal Spring AMQP, en versiones 1.x anteriores a la 1.7.10 y versiones 2.x anteriores a la 2.0.6, expone una vulnerabilidad Man-in-the-Middle (MitM) debido a la falta de validaci\u00f3n de nombres de host. Un usuario malicioso que pueda interceptar tr\u00e1fico ser\u00eda capaz de ver los datos en tr\u00e1nsito."
}
],
"id": "CVE-2018-11087",
"lastModified": "2025-03-27T19:56:20.387",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-14T20:29:00.417",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2018-11087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2018-11087"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-4966
Vulnerability from fkie_nvd - Published: 2017-06-13 06:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
References
| URL | Tags | ||
|---|---|---|---|
| security_alert@emc.com | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| security_alert@emc.com | https://pivotal.io/security/cve-2017-4966 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2017-4966 | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "755456D9-7249-4092-970C-230729E2F856",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "74804A09-A266-45F3-BB54-73892AD1D22D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "08DE4A7C-EEA5-46E5-8604-041B721DC3E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "83206370-1606-4D4C-94F2-6B21885ADB6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36AA89DA-AE78-409B-B4FF-B743490F76C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "90973C7F-E63D-4C00-BB6A-DA2F796697E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F451B7B3-9272-4184-B18A-87ED6B3D2756",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A9166D68-CC18-4F53-9DA6-FA10B93E7702",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BE205B46-5ACF-44B9-877A-FDC67AA7079F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1D0FDB23-6A99-4783-871A-CD25E20F044D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5A315D37-F74F-4EF2-9F47-9639BEBEAB05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0DE6A4B2-0445-470B-B18C-2CFEB2A52455",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B52805C-6F10-4BCD-AA74-3E0C0FF5E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5FE2FBE9-5D35-4273-8B83-A400D3A0136D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F9F3F6-B1AF-423F-9F96-4329589B323A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AECBDFAA-198F-4A47-835A-4E17C090DF02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D879D6FD-39D7-4589-8DE7-C8DAAE6F165E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE842A15-D676-4E00-AAD7-1088CE122876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F40845F9-00D8-44F0-8B2E-60094A3D37CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3772B181-64DB-43AA-99C1-21378CF91E51",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0DA89B77-6455-40CD-931E-BB07CD9A3166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "52350E43-4AB5-45ED-AC31-CC948DB87631",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "42856F22-74CD-4278-8EAA-2C6582A7E658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F1C7EE64-A51B-4D02-AAC4-20F4D3FCB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B0D8589A-B843-4130-8CC8-3D4C464CDB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "62016F87-0B15-4D1B-A2AB-FC4769F95DB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "7DF99EF7-AFCB-4CA5-8F28-ABC9118612CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "2D9F3D8B-DDB3-4175-AAD7-8F952E9A7D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5125B26-63EE-4FE8-97A1-DC6E11757ACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6AF3BAA0-0AEA-4B96-9C91-E51789844A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DD5F0850-F34B-4E79-A46D-B74F2E90C43A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DF23DD7D-16B4-408C-A825-C79487D79A0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E792D92E-07A1-4E48-90CB-5EC7C99E0AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B873D04B-704B-468D-A2B1-8E04653806F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "13C9004B-590A-45F0-8AA9-713928A8F5F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F22B84B3-438E-4E08-A02D-4A85C0C561B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "501A5F31-6DBA-4E90-8BAD-E1DFD0967D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3E99B39C-21AF-4F75-8D96-9B69F48C2A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.19:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0CFACCBF-6C53-4A7F-AC0F-8A2D03E6D6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3C6E80B6-857B-4D53-B107-8667EFCCE0EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "95C7294C-C9D3-40F8-B3C9-40424D5FC124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "66F85747-11AA-4133-B553-3C31152F0781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B425D53C-5713-401E-BE30-BCDE54F65857",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "758D57BA-3EA6-4036-8BDD-5BA2AAE25F77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "036437B9-1A7F-4C60-B9FE-B38173BC6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "408D457F-4DE5-4280-8379-083DA78ECF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C9D2B08D-9779-4E80-BAB6-870F81F24F7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "90F47590-6640-494F-8A93-A9AC70459DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "5D1F88E0-4047-4ADE-A898-88FE6358D659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8647C50B-41CB-45CE-89E7-BB4B2759DE40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4960386C-07D9-4367-945C-278595DB6C0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "A49DCDFA-4D98-4AEC-91A1-612B85DDFB04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4FEB47ED-5D35-4151-B087-8324339DE5FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "65A513AD-9236-42D7-9D04-F318A5815640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.16:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6647F298-1B11-46D8-B68A-6B284BB1F7AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9997C9C6-4918-4B74-92E4-012B58278DEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F6DB5A36-22F9-4A2C-9ED0-68D1434B06D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "33C0370F-77A5-4A51-ABF2-21793CD57043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4C3C0A88-66F6-46D5-9A79-BEFB654979D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1EC26CD6-172D-4DBE-8B23-59491E4765E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "669EA6CA-3F6C-4151-986D-173F1375B32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "69960839-7C03-4542-80D3-5C71795F8159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "82CA3E75-AFD0-486A-9EFA-71A8CA780632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "921374B4-B99F-4863-99D8-9FD938EF8EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5344CFC-3100-4407-93E4-65594C3741B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "06B09408-573D-47A8-BC84-724DD88976E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "ADF54631-875A-45C4-9C0A-4836AB1F8309",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser\u0027s local storage without expiration, making it possible to retrieve them using a chained attack."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en estas versiones de RabbitMQ de Pivotal: todas las versiones 3.4.x, todas las versiones 3.5.x y versiones 3.6.x anteriores a 3.6.9; y en estas versiones de RabbitMQ de Pivotal para PCF: todas las versiones 1.5.x, versiones 1.6.x anteriores a 1.6.18 y versiones 1.7.x anteriores a 1.7.15. La interfaz de usuario de administraci\u00f3n de RabbitMQ almacena las credenciales de los usuarios registrados en el almacenamiento local de un navegador sin expiraci\u00f3n, lo que hace posible recuperarlas mediante un ataque encadenado."
}
],
"id": "CVE-2017-4966",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-13T06:29:00.503",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4966"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-4965
Vulnerability from fkie_nvd - Published: 2017-06-13 06:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
References
| URL | Tags | ||
|---|---|---|---|
| security_alert@emc.com | http://www.securityfocus.com/bid/98394 | Third Party Advisory, VDB Entry | |
| security_alert@emc.com | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| security_alert@emc.com | https://pivotal.io/security/cve-2017-4965 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/98394 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2017-4965 | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "755456D9-7249-4092-970C-230729E2F856",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "74804A09-A266-45F3-BB54-73892AD1D22D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "08DE4A7C-EEA5-46E5-8604-041B721DC3E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "83206370-1606-4D4C-94F2-6B21885ADB6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36AA89DA-AE78-409B-B4FF-B743490F76C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "90973C7F-E63D-4C00-BB6A-DA2F796697E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F451B7B3-9272-4184-B18A-87ED6B3D2756",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A9166D68-CC18-4F53-9DA6-FA10B93E7702",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BE205B46-5ACF-44B9-877A-FDC67AA7079F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1D0FDB23-6A99-4783-871A-CD25E20F044D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5A315D37-F74F-4EF2-9F47-9639BEBEAB05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0DE6A4B2-0445-470B-B18C-2CFEB2A52455",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B52805C-6F10-4BCD-AA74-3E0C0FF5E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5FE2FBE9-5D35-4273-8B83-A400D3A0136D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F9F3F6-B1AF-423F-9F96-4329589B323A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AECBDFAA-198F-4A47-835A-4E17C090DF02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D879D6FD-39D7-4589-8DE7-C8DAAE6F165E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE842A15-D676-4E00-AAD7-1088CE122876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F40845F9-00D8-44F0-8B2E-60094A3D37CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3772B181-64DB-43AA-99C1-21378CF91E51",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0DA89B77-6455-40CD-931E-BB07CD9A3166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "52350E43-4AB5-45ED-AC31-CC948DB87631",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "42856F22-74CD-4278-8EAA-2C6582A7E658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F1C7EE64-A51B-4D02-AAC4-20F4D3FCB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B0D8589A-B843-4130-8CC8-3D4C464CDB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "62016F87-0B15-4D1B-A2AB-FC4769F95DB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "7DF99EF7-AFCB-4CA5-8F28-ABC9118612CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "2D9F3D8B-DDB3-4175-AAD7-8F952E9A7D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5125B26-63EE-4FE8-97A1-DC6E11757ACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6AF3BAA0-0AEA-4B96-9C91-E51789844A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DD5F0850-F34B-4E79-A46D-B74F2E90C43A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DF23DD7D-16B4-408C-A825-C79487D79A0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E792D92E-07A1-4E48-90CB-5EC7C99E0AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B873D04B-704B-468D-A2B1-8E04653806F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "13C9004B-590A-45F0-8AA9-713928A8F5F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F22B84B3-438E-4E08-A02D-4A85C0C561B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "501A5F31-6DBA-4E90-8BAD-E1DFD0967D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3E99B39C-21AF-4F75-8D96-9B69F48C2A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.19:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0CFACCBF-6C53-4A7F-AC0F-8A2D03E6D6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3C6E80B6-857B-4D53-B107-8667EFCCE0EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "95C7294C-C9D3-40F8-B3C9-40424D5FC124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "66F85747-11AA-4133-B553-3C31152F0781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B425D53C-5713-401E-BE30-BCDE54F65857",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "758D57BA-3EA6-4036-8BDD-5BA2AAE25F77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "036437B9-1A7F-4C60-B9FE-B38173BC6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "408D457F-4DE5-4280-8379-083DA78ECF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C9D2B08D-9779-4E80-BAB6-870F81F24F7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "90F47590-6640-494F-8A93-A9AC70459DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "5D1F88E0-4047-4ADE-A898-88FE6358D659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8647C50B-41CB-45CE-89E7-BB4B2759DE40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4960386C-07D9-4367-945C-278595DB6C0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "A49DCDFA-4D98-4AEC-91A1-612B85DDFB04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4FEB47ED-5D35-4151-B087-8324339DE5FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "65A513AD-9236-42D7-9D04-F318A5815640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.16:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6647F298-1B11-46D8-B68A-6B284BB1F7AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9997C9C6-4918-4B74-92E4-012B58278DEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F6DB5A36-22F9-4A2C-9ED0-68D1434B06D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "33C0370F-77A5-4A51-ABF2-21793CD57043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4C3C0A88-66F6-46D5-9A79-BEFB654979D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1EC26CD6-172D-4DBE-8B23-59491E4765E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "669EA6CA-3F6C-4151-986D-173F1375B32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "69960839-7C03-4542-80D3-5C71795F8159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "82CA3E75-AFD0-486A-9EFA-71A8CA780632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "921374B4-B99F-4863-99D8-9FD938EF8EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5344CFC-3100-4407-93E4-65594C3741B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "06B09408-573D-47A8-BC84-724DD88976E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "ADF54631-875A-45C4-9C0A-4836AB1F8309",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en estas versiones de RabbitMQ de Pivotal: todas las versiones 3.4.x, todas las versiones 3.5.x y versiones 3.6.x anteriores a 3.6.9; y en estas versiones de RabbitMQ de Pivotal para PCF: todas las versiones 1.5.x, versiones 1.6.x anteriores a 1.6.18 y versiones 1.7.x anteriores a 1.7.15. Varios formularios en la interfaz de usuario de administraci\u00f3n de RabbitMQ son vulnerables a los ataques de tipo XSS."
}
],
"id": "CVE-2017-4965",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-13T06:29:00.457",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"source": "security_alert@emc.com",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4965"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-4967
Vulnerability from fkie_nvd - Published: 2017-06-13 06:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
References
| URL | Tags | ||
|---|---|---|---|
| security_alert@emc.com | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| security_alert@emc.com | https://pivotal.io/security/cve-2017-4965 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2017-4965 | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "755456D9-7249-4092-970C-230729E2F856",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "74804A09-A266-45F3-BB54-73892AD1D22D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "08DE4A7C-EEA5-46E5-8604-041B721DC3E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "83206370-1606-4D4C-94F2-6B21885ADB6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36AA89DA-AE78-409B-B4FF-B743490F76C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "90973C7F-E63D-4C00-BB6A-DA2F796697E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F451B7B3-9272-4184-B18A-87ED6B3D2756",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A9166D68-CC18-4F53-9DA6-FA10B93E7702",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BE205B46-5ACF-44B9-877A-FDC67AA7079F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1D0FDB23-6A99-4783-871A-CD25E20F044D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5A315D37-F74F-4EF2-9F47-9639BEBEAB05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0DE6A4B2-0445-470B-B18C-2CFEB2A52455",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B52805C-6F10-4BCD-AA74-3E0C0FF5E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5FE2FBE9-5D35-4273-8B83-A400D3A0136D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F9F3F6-B1AF-423F-9F96-4329589B323A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AECBDFAA-198F-4A47-835A-4E17C090DF02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D879D6FD-39D7-4589-8DE7-C8DAAE6F165E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE842A15-D676-4E00-AAD7-1088CE122876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F40845F9-00D8-44F0-8B2E-60094A3D37CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3772B181-64DB-43AA-99C1-21378CF91E51",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0DA89B77-6455-40CD-931E-BB07CD9A3166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "52350E43-4AB5-45ED-AC31-CC948DB87631",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "42856F22-74CD-4278-8EAA-2C6582A7E658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F1C7EE64-A51B-4D02-AAC4-20F4D3FCB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B0D8589A-B843-4130-8CC8-3D4C464CDB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "62016F87-0B15-4D1B-A2AB-FC4769F95DB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "7DF99EF7-AFCB-4CA5-8F28-ABC9118612CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "2D9F3D8B-DDB3-4175-AAD7-8F952E9A7D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5125B26-63EE-4FE8-97A1-DC6E11757ACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6AF3BAA0-0AEA-4B96-9C91-E51789844A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DD5F0850-F34B-4E79-A46D-B74F2E90C43A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DF23DD7D-16B4-408C-A825-C79487D79A0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E792D92E-07A1-4E48-90CB-5EC7C99E0AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B873D04B-704B-468D-A2B1-8E04653806F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "13C9004B-590A-45F0-8AA9-713928A8F5F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F22B84B3-438E-4E08-A02D-4A85C0C561B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "501A5F31-6DBA-4E90-8BAD-E1DFD0967D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3E99B39C-21AF-4F75-8D96-9B69F48C2A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.19:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0CFACCBF-6C53-4A7F-AC0F-8A2D03E6D6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3C6E80B6-857B-4D53-B107-8667EFCCE0EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "95C7294C-C9D3-40F8-B3C9-40424D5FC124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "66F85747-11AA-4133-B553-3C31152F0781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B425D53C-5713-401E-BE30-BCDE54F65857",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "758D57BA-3EA6-4036-8BDD-5BA2AAE25F77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "036437B9-1A7F-4C60-B9FE-B38173BC6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "408D457F-4DE5-4280-8379-083DA78ECF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C9D2B08D-9779-4E80-BAB6-870F81F24F7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "90F47590-6640-494F-8A93-A9AC70459DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "5D1F88E0-4047-4ADE-A898-88FE6358D659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8647C50B-41CB-45CE-89E7-BB4B2759DE40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4960386C-07D9-4367-945C-278595DB6C0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "A49DCDFA-4D98-4AEC-91A1-612B85DDFB04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4FEB47ED-5D35-4151-B087-8324339DE5FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "65A513AD-9236-42D7-9D04-F318A5815640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.16:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6647F298-1B11-46D8-B68A-6B284BB1F7AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9997C9C6-4918-4B74-92E4-012B58278DEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F6DB5A36-22F9-4A2C-9ED0-68D1434B06D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "33C0370F-77A5-4A51-ABF2-21793CD57043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4C3C0A88-66F6-46D5-9A79-BEFB654979D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1EC26CD6-172D-4DBE-8B23-59491E4765E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "669EA6CA-3F6C-4151-986D-173F1375B32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "69960839-7C03-4542-80D3-5C71795F8159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "82CA3E75-AFD0-486A-9EFA-71A8CA780632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "921374B4-B99F-4863-99D8-9FD938EF8EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5344CFC-3100-4407-93E4-65594C3741B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "06B09408-573D-47A8-BC84-724DD88976E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "ADF54631-875A-45C4-9C0A-4836AB1F8309",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en estas versiones de RabbitMQ de Pivotal: todas las versiones 3.4.x, todas las versiones 3.5.x y versiones 3.6.x anteriores a 3.6.9; y en estas versiones de RabbitMQ de Pivotal para PCF: todas las versiones 1.5.x, versiones 1.6.x anteriores a 1.6.18 y versiones 1.7.x anteriores a 1.7.15. Varios formularios en la interfaz de usuario de administraci\u00f3n de RabbitMQ son vulnerables a los ataques de tipo XSS."
}
],
"id": "CVE-2017-4967",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-13T06:29:00.520",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4965"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-9877
Vulnerability from fkie_nvd - Published: 2016-12-29 09:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "93A123A0-1EDC-4EF6-9300-A265837EC18C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CC1069E3-5DAE-4B10-A18E-2FB8BE9CF8EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "856A46DD-B7B0-4649-9ADC-6927BDDFC2FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AA3927-F1D2-472D-A505-5CED02059978",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0A465750-6168-4319-866B-D844EB4C88FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D27EDB36-9C20-471D-AFE3-36F62A2C106C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "682BA23A-199F-4591-AD30-EF43B34C227F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7D55283F-EA8E-4D12-B49E-D5392242CCF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08D41D-9782-44B1-A051-EF4BEC861C51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3DA0EBB7-35CF-4C57-99E3-F5AA0F09781F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "051E5698-D006-4BE9-9C7E-5E70654CC1E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5D29505A-FE4D-4CC2-96EA-13439B1536D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6B7EA539-A2AB-4FD4-8CB5-575A594437F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0EB3E04F-7C2D-4121-94E6-09C31BA44C37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EFAC64E9-0DF2-4350-B2A9-225E841CCF74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F8691A77-2BD3-4C6B-97BA-C5904149D9DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B22BC770-52AF-44DD-BEC7-B989B8C08717",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A1CE91D7-DA1B-4547-B903-A2536E4B3EA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7B1078BE-B70C-4419-95AC-68ED4AC56EDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "27719DEB-CC36-4DAB-8564-248263F48010",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D7975F3B-30A9-445B-9D39-8A308670264B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "80944B21-FAC3-49A6-878F-173B5A5AD24E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "755456D9-7249-4092-970C-230729E2F856",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "74804A09-A266-45F3-BB54-73892AD1D22D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "08DE4A7C-EEA5-46E5-8604-041B721DC3E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "83206370-1606-4D4C-94F2-6B21885ADB6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36AA89DA-AE78-409B-B4FF-B743490F76C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "90973C7F-E63D-4C00-BB6A-DA2F796697E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F451B7B3-9272-4184-B18A-87ED6B3D2756",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A9166D68-CC18-4F53-9DA6-FA10B93E7702",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BE205B46-5ACF-44B9-877A-FDC67AA7079F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:3.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1D0FDB23-6A99-4783-871A-CD25E20F044D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0DE6A4B2-0445-470B-B18C-2CFEB2A52455",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B52805C-6F10-4BCD-AA74-3E0C0FF5E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5FE2FBE9-5D35-4273-8B83-A400D3A0136D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F9F3F6-B1AF-423F-9F96-4329589B323A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AECBDFAA-198F-4A47-835A-4E17C090DF02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D879D6FD-39D7-4589-8DE7-C8DAAE6F165E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE842A15-D676-4E00-AAD7-1088CE122876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F40845F9-00D8-44F0-8B2E-60094A3D37CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0DA89B77-6455-40CD-931E-BB07CD9A3166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "52350E43-4AB5-45ED-AC31-CC948DB87631",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "42856F22-74CD-4278-8EAA-2C6582A7E658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F1C7EE64-A51B-4D02-AAC4-20F4D3FCB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B0D8589A-B843-4130-8CC8-3D4C464CDB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "62016F87-0B15-4D1B-A2AB-FC4769F95DB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "7DF99EF7-AFCB-4CA5-8F28-ABC9118612CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "2D9F3D8B-DDB3-4175-AAD7-8F952E9A7D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5125B26-63EE-4FE8-97A1-DC6E11757ACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6AF3BAA0-0AEA-4B96-9C91-E51789844A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DD5F0850-F34B-4E79-A46D-B74F2E90C43A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DF23DD7D-16B4-408C-A825-C79487D79A0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E792D92E-07A1-4E48-90CB-5EC7C99E0AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B873D04B-704B-468D-A2B1-8E04653806F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "13C9004B-590A-45F0-8AA9-713928A8F5F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F22B84B3-438E-4E08-A02D-4A85C0C561B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "501A5F31-6DBA-4E90-8BAD-E1DFD0967D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3E99B39C-21AF-4F75-8D96-9B69F48C2A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3C6E80B6-857B-4D53-B107-8667EFCCE0EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "95C7294C-C9D3-40F8-B3C9-40424D5FC124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "66F85747-11AA-4133-B553-3C31152F0781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B425D53C-5713-401E-BE30-BCDE54F65857",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "758D57BA-3EA6-4036-8BDD-5BA2AAE25F77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "036437B9-1A7F-4C60-B9FE-B38173BC6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "408D457F-4DE5-4280-8379-083DA78ECF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C9D2B08D-9779-4E80-BAB6-870F81F24F7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "90F47590-6640-494F-8A93-A9AC70459DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "5D1F88E0-4047-4ADE-A898-88FE6358D659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8647C50B-41CB-45CE-89E7-BB4B2759DE40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9997C9C6-4918-4B74-92E4-012B58278DEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F6DB5A36-22F9-4A2C-9ED0-68D1434B06D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "33C0370F-77A5-4A51-ABF2-21793CD57043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4C3C0A88-66F6-46D5-9A79-BEFB654979D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1EC26CD6-172D-4DBE-8B23-59491E4765E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "669EA6CA-3F6C-4151-986D-173F1375B32B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected."
},
{
"lang": "es",
"value": "Un problema fue descubierto en Pivotal RabbitMQ 3.x en versiones anteriores a 3.5.8 y 3.6.x en versiones anteriores a 3.6.6 y RabbitMQ for PCF 1.5.x en versiones anteriores a 1.5.20, 1.6.x en versiones anteriores a 1.6.12 y 1.7.x en versiones anteriores a 1.7.7. Autenticaci\u00f3n de conexi\u00f3n MQTT (MQ Telemetry Transport) con un nombre de usuario/contrase\u00f1a tiene \u00e9xito si se provee un nombre de usuario existente pero la contrase\u00f1a es omitida de la petici\u00f3n de conexi\u00f3n. Conexiones que usan TLS con un certificado provisto por el cliente no est\u00e1n afectadas."
}
],
"id": "CVE-2016-9877",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-29T09:59:00.790",
"references": [
{
"source": "security_alert@emc.com",
"url": "http://www.debian.org/security/2017/dsa-3761"
},
{
"source": "security_alert@emc.com",
"url": "http://www.securityfocus.com/bid/95065"
},
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"source": "security_alert@emc.com",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2017/dsa-3761"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/95065"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-8786
Vulnerability from fkie_nvd - Published: 2016-12-09 20:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | solaris | 11.3 | |
| pivotal_software | rabbitmq | 3.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*",
"matchCriteriaId": "79A602C5-61FE-47BA-9786-F045B6C6DBA8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter."
},
{
"lang": "es",
"value": "El plugin Management en RabbitMQ en versiones anteriores a 3.6.1 permite a usuarios remotos autenticados con ciertos privilegios provocar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s del par\u00e1metro (1) lengths_age o (2) lengths_incr."
}
],
"id": "CVE-2015-8786",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-09T20:59:00.157",
"references": [
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-5419 (GCVE-0-2020-5419)
Vulnerability from cvelistv5 – Published: 2020-08-31 15:05 – Updated: 2024-09-16 23:31
VLAI?
Summary
RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code.
Severity ?
6.7 (Medium)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware Tanzu | RabbitMQ |
Affected:
3.7 , < 3.7.28
(custom)
Affected: 3.8 , < 3.8.7 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "3.7.28",
"status": "affected",
"version": "3.7",
"versionType": "custom"
},
{
"lessThan": "3.8.7",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-31T15:05:19",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ arbitrary code execution using local binary planting",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-08-27T00:00:00.000Z",
"ID": "CVE-2020-5419",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ arbitrary code execution using local binary planting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "3.7.28"
},
{
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "3.8.7"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-427: Uncontrolled Search Path Element"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5419",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5419",
"datePublished": "2020-08-31T15:05:20.057877Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T23:31:18.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11287 (GCVE-0-2019-11287)
Vulnerability from cvelistv5 – Published: 2019-11-22 23:26 – Updated: 2024-09-16 22:24
VLAI?
Summary
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Severity ?
4.5 (Medium)
CWE
- CWE-400 - Denial of Service
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pivotal | RabbitMQ for Pivotal Platform |
Affected:
1.16 , < 1.16.7
(custom)
Affected: 1.17 , < 1.17.4 (custom) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.092Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ for Pivotal Platform",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.16.7",
"status": "affected",
"version": "1.16",
"versionType": "custom"
},
{
"lessThan": "1.17.4",
"status": "affected",
"version": "1.17",
"versionType": "custom"
}
]
},
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v3.7.21",
"status": "affected",
"version": "3.7",
"versionType": "custom"
},
{
"lessThan": "v3.8.1",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:18",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ Web Management Plugin DoS via heap overflow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-11-22T20:51:56.000Z",
"ID": "CVE-2019-11287",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ Web Management Plugin DoS via heap overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ for Pivotal Platform",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.16",
"version_value": "1.16.7"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.17",
"version_value": "1.17.4"
}
]
}
},
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "v3.7.21"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "v3.8.1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11287",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11287",
"datePublished": "2019-11-22T23:26:08.880149Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T22:24:51.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11281 (GCVE-0-2019-11281)
Vulnerability from cvelistv5 – Published: 2019-10-16 15:23 – Updated: 2024-09-16 19:05
VLAI?
Summary
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
Severity ?
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Pivotal | RabbitMQ |
Affected:
prior to v3.7.18
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "prior to v3.7.18"
}
]
},
{
"product": "RabbitMQ for PCF",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "1.15.x prior to 1.15.13"
},
{
"status": "affected",
"version": "11.16.x prior to 1.16.6"
},
{
"status": "affected",
"version": "1.17.x prior to 1.17.3"
}
]
}
],
"datePublic": "2019-10-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting (XSS) - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:24",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ XSS attack",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-10-15T20:59:25.000Z",
"ID": "CVE-2019-11281",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ XSS attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"version_value": "prior to v3.7.18"
}
]
}
},
{
"product_name": "RabbitMQ for PCF",
"version": {
"version_data": [
{
"version_value": "1.15.x prior to 1.15.13"
},
{
"version_value": "11.16.x prior to 1.16.6"
},
{
"version_value": "1.17.x prior to 1.17.3"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting (XSS) - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11281",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11281",
"datePublished": "2019-10-16T15:23:47.309415Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T19:05:38.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1279 (GCVE-0-2018-1279)
Vulnerability from cvelistv5 – Published: 2018-12-10 19:00 – Updated: 2024-09-17 00:37
VLAI?
Summary
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.
Severity ?
8.5 (High)
CWE
- Use of Insufficiently Random Values
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pivotal | RabbitMq for PCF |
Affected:
1 , < all versions*
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-1279"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMq for PCF",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "all versions*",
"status": "affected",
"version": "1",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-12-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use of Insufficiently Random Values",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-10T18:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-1279"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ cluster compromise due to deterministically generated cookie",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2018-12-05T00:00:00.000Z",
"ID": "CVE-2018-1279",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ cluster compromise due to deterministically generated cookie"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMq for PCF",
"version": {
"version_data": [
{
"affected": "\u003e",
"version_affected": "\u003e",
"version_name": "all versions",
"version_value": "1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use of Insufficiently Random Values"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2018-1279",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-1279"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1279",
"datePublished": "2018-12-10T19:00:00Z",
"dateReserved": "2017-12-06T00:00:00",
"dateUpdated": "2024-09-17T00:37:15.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11087 (GCVE-0-2018-11087)
Vulnerability from cvelistv5 – Published: 2018-09-14 20:00 – Updated: 2024-09-17 03:58
VLAI?
Summary
Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.
Severity ?
No CVSS data available.
CWE
- TLS validation error
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pivotal | Spring AMQP |
Affected:
1.x , < 1.7.10
(custom)
Affected: 2.x , < 2.0.6 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:54:36.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-11087"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring AMQP",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.7.10",
"status": "affected",
"version": "1.x",
"versionType": "custom"
},
{
"lessThan": "2.0.6",
"status": "affected",
"version": "2.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-09-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "TLS validation error",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-14T19:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-11087"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TLS validation error",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2018-09-11T04:00:00.000Z",
"ID": "CVE-2018-11087",
"STATE": "PUBLIC",
"TITLE": "TLS validation error"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring AMQP",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.x",
"version_value": "1.7.10"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.x",
"version_value": "2.0.6"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "TLS validation error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2018-11087",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-11087"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-11087",
"datePublished": "2018-09-14T20:00:00Z",
"dateReserved": "2018-05-14T00:00:00",
"dateUpdated": "2024-09-17T03:58:41.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-4967 (GCVE-0-2017-4967)
Vulnerability from cvelistv5 – Published: 2017-06-13 06:00 – Updated: 2024-08-05 14:47
VLAI?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
Severity ?
No CVSS data available.
CWE
- XSS vulnerabilities in RabbitMQ management UI
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Pivotal RabbitMQ |
Affected:
Pivotal RabbitMQ
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:43.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS vulnerabilities in RabbitMQ management UI",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:14",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-4967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS vulnerabilities in RabbitMQ management UI"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2017-4965",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4967",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:43.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-4966 (GCVE-0-2017-4966)
Vulnerability from cvelistv5 – Published: 2017-06-13 06:00 – Updated: 2024-08-05 14:47
VLAI?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
Severity ?
No CVSS data available.
CWE
- local storage of credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Pivotal RabbitMQ |
Affected:
Pivotal RabbitMQ
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:44.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser\u0027s local storage without expiration, making it possible to retrieve them using a chained attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "local storage of credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:22",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-4966",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser\u0027s local storage without expiration, making it possible to retrieve them using a chained attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "local storage of credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2017-4966",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4966",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:44.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-4965 (GCVE-0-2017-4965)
Vulnerability from cvelistv5 – Published: 2017-06-13 06:00 – Updated: 2024-08-05 14:47
VLAI?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
Severity ?
No CVSS data available.
CWE
- XSS vulnerabilities in RabbitMQ management UI
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Pivotal RabbitMQ |
Affected:
Pivotal RabbitMQ
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:43.344Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "98394",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS vulnerabilities in RabbitMQ management UI",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:16",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "98394",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-4965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS vulnerabilities in RabbitMQ management UI"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "98394",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98394"
},
{
"name": "https://pivotal.io/security/cve-2017-4965",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4965",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:43.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9877 (GCVE-0-2016-9877)
Vulnerability from cvelistv5 – Published: 2016-12-29 09:02 – Updated: 2024-08-06 03:07
VLAI?
Summary
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
Severity ?
No CVSS data available.
CWE
- RabbitMQ authentication vulnerability
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7 |
Affected:
Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:30.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"name": "95065",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95065"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"name": "DSA-3761",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3761"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7"
}
]
}
],
"datePublic": "2016-12-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RabbitMQ authentication vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-21T09:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"name": "95065",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95065"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"name": "DSA-3761",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3761"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"ID": "CVE-2016-9877",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "RabbitMQ authentication vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"name": "95065",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95065"
},
{
"name": "https://pivotal.io/security/cve-2016-9877",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"name": "DSA-3761",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3761"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2016-9877",
"datePublished": "2016-12-29T09:02:00",
"dateReserved": "2016-12-06T00:00:00",
"dateUpdated": "2024-08-06T03:07:30.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8786 (GCVE-0-2015-8786)
Vulnerability from cvelistv5 – Published: 2016-12-09 20:00 – Updated: 2024-08-06 08:29
VLAI?
Summary
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:21.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"name": "RHSA-2017:0532",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"name": "RHSA-2017:0530",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "RHSA-2017:0531",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"name": "RHSA-2017:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"name": "91508",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"name": "RHSA-2017:0226",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"name": "RHSA-2017:0532",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"name": "RHSA-2017:0530",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "RHSA-2017:0531",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"name": "RHSA-2017:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"name": "91508",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"name": "RHSA-2017:0226",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8786",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1",
"refsource": "CONFIRM",
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"name": "RHSA-2017:0532",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"name": "RHSA-2017:0530",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "RHSA-2017:0531",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"name": "RHSA-2017:0533",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"name": "https://github.com/rabbitmq/rabbitmq-management/issues/97",
"refsource": "CONFIRM",
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"name": "91508",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/91508"
},
{
"name": "RHSA-2017:0226",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8786",
"datePublished": "2016-12-09T20:00:00",
"dateReserved": "2016-01-25T00:00:00",
"dateUpdated": "2024-08-06T08:29:21.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5419 (GCVE-0-2020-5419)
Vulnerability from nvd – Published: 2020-08-31 15:05 – Updated: 2024-09-16 23:31
VLAI?
Summary
RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code.
Severity ?
6.7 (Medium)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware Tanzu | RabbitMQ |
Affected:
3.7 , < 3.7.28
(custom)
Affected: 3.8 , < 3.8.7 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "3.7.28",
"status": "affected",
"version": "3.7",
"versionType": "custom"
},
{
"lessThan": "3.8.7",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-31T15:05:19",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ arbitrary code execution using local binary planting",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-08-27T00:00:00.000Z",
"ID": "CVE-2020-5419",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ arbitrary code execution using local binary planting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "3.7.28"
},
{
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "3.8.7"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-427: Uncontrolled Search Path Element"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5419",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5419",
"datePublished": "2020-08-31T15:05:20.057877Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T23:31:18.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11287 (GCVE-0-2019-11287)
Vulnerability from nvd – Published: 2019-11-22 23:26 – Updated: 2024-09-16 22:24
VLAI?
Summary
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Severity ?
4.5 (Medium)
CWE
- CWE-400 - Denial of Service
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pivotal | RabbitMQ for Pivotal Platform |
Affected:
1.16 , < 1.16.7
(custom)
Affected: 1.17 , < 1.17.4 (custom) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.092Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ for Pivotal Platform",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.16.7",
"status": "affected",
"version": "1.16",
"versionType": "custom"
},
{
"lessThan": "1.17.4",
"status": "affected",
"version": "1.17",
"versionType": "custom"
}
]
},
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v3.7.21",
"status": "affected",
"version": "3.7",
"versionType": "custom"
},
{
"lessThan": "v3.8.1",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:18",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ Web Management Plugin DoS via heap overflow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-11-22T20:51:56.000Z",
"ID": "CVE-2019-11287",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ Web Management Plugin DoS via heap overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ for Pivotal Platform",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.16",
"version_value": "1.16.7"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.17",
"version_value": "1.17.4"
}
]
}
},
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "v3.7.21"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "v3.8.1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11287",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11287",
"datePublished": "2019-11-22T23:26:08.880149Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T22:24:51.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11281 (GCVE-0-2019-11281)
Vulnerability from nvd – Published: 2019-10-16 15:23 – Updated: 2024-09-16 19:05
VLAI?
Summary
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
Severity ?
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Pivotal | RabbitMQ |
Affected:
prior to v3.7.18
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "prior to v3.7.18"
}
]
},
{
"product": "RabbitMQ for PCF",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "1.15.x prior to 1.15.13"
},
{
"status": "affected",
"version": "11.16.x prior to 1.16.6"
},
{
"status": "affected",
"version": "1.17.x prior to 1.17.3"
}
]
}
],
"datePublic": "2019-10-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting (XSS) - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:24",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ XSS attack",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-10-15T20:59:25.000Z",
"ID": "CVE-2019-11281",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ XSS attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"version_value": "prior to v3.7.18"
}
]
}
},
{
"product_name": "RabbitMQ for PCF",
"version": {
"version_data": [
{
"version_value": "1.15.x prior to 1.15.13"
},
{
"version_value": "11.16.x prior to 1.16.6"
},
{
"version_value": "1.17.x prior to 1.17.3"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting (XSS) - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11281",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11281",
"datePublished": "2019-10-16T15:23:47.309415Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T19:05:38.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1279 (GCVE-0-2018-1279)
Vulnerability from nvd – Published: 2018-12-10 19:00 – Updated: 2024-09-17 00:37
VLAI?
Summary
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.
Severity ?
8.5 (High)
CWE
- Use of Insufficiently Random Values
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pivotal | RabbitMq for PCF |
Affected:
1 , < all versions*
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-1279"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMq for PCF",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "all versions*",
"status": "affected",
"version": "1",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-12-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use of Insufficiently Random Values",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-10T18:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-1279"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ cluster compromise due to deterministically generated cookie",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2018-12-05T00:00:00.000Z",
"ID": "CVE-2018-1279",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ cluster compromise due to deterministically generated cookie"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMq for PCF",
"version": {
"version_data": [
{
"affected": "\u003e",
"version_affected": "\u003e",
"version_name": "all versions",
"version_value": "1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use of Insufficiently Random Values"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2018-1279",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-1279"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1279",
"datePublished": "2018-12-10T19:00:00Z",
"dateReserved": "2017-12-06T00:00:00",
"dateUpdated": "2024-09-17T00:37:15.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11087 (GCVE-0-2018-11087)
Vulnerability from nvd – Published: 2018-09-14 20:00 – Updated: 2024-09-17 03:58
VLAI?
Summary
Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.
Severity ?
No CVSS data available.
CWE
- TLS validation error
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pivotal | Spring AMQP |
Affected:
1.x , < 1.7.10
(custom)
Affected: 2.x , < 2.0.6 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:54:36.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-11087"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring AMQP",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.7.10",
"status": "affected",
"version": "1.x",
"versionType": "custom"
},
{
"lessThan": "2.0.6",
"status": "affected",
"version": "2.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-09-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "TLS validation error",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-14T19:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-11087"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TLS validation error",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2018-09-11T04:00:00.000Z",
"ID": "CVE-2018-11087",
"STATE": "PUBLIC",
"TITLE": "TLS validation error"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring AMQP",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.x",
"version_value": "1.7.10"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.x",
"version_value": "2.0.6"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "TLS validation error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2018-11087",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-11087"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-11087",
"datePublished": "2018-09-14T20:00:00Z",
"dateReserved": "2018-05-14T00:00:00",
"dateUpdated": "2024-09-17T03:58:41.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-4967 (GCVE-0-2017-4967)
Vulnerability from nvd – Published: 2017-06-13 06:00 – Updated: 2024-08-05 14:47
VLAI?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
Severity ?
No CVSS data available.
CWE
- XSS vulnerabilities in RabbitMQ management UI
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Pivotal RabbitMQ |
Affected:
Pivotal RabbitMQ
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:43.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS vulnerabilities in RabbitMQ management UI",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:14",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-4967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS vulnerabilities in RabbitMQ management UI"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2017-4965",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4967",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:43.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-4966 (GCVE-0-2017-4966)
Vulnerability from nvd – Published: 2017-06-13 06:00 – Updated: 2024-08-05 14:47
VLAI?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
Severity ?
No CVSS data available.
CWE
- local storage of credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Pivotal RabbitMQ |
Affected:
Pivotal RabbitMQ
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:44.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser\u0027s local storage without expiration, making it possible to retrieve them using a chained attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "local storage of credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:22",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-4966",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser\u0027s local storage without expiration, making it possible to retrieve them using a chained attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "local storage of credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2017-4966",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4966",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:44.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-4965 (GCVE-0-2017-4965)
Vulnerability from nvd – Published: 2017-06-13 06:00 – Updated: 2024-08-05 14:47
VLAI?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
Severity ?
No CVSS data available.
CWE
- XSS vulnerabilities in RabbitMQ management UI
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Pivotal RabbitMQ |
Affected:
Pivotal RabbitMQ
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:43.344Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "98394",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS vulnerabilities in RabbitMQ management UI",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:16",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "98394",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-4965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS vulnerabilities in RabbitMQ management UI"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "98394",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98394"
},
{
"name": "https://pivotal.io/security/cve-2017-4965",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4965",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:43.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9877 (GCVE-0-2016-9877)
Vulnerability from nvd – Published: 2016-12-29 09:02 – Updated: 2024-08-06 03:07
VLAI?
Summary
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
Severity ?
No CVSS data available.
CWE
- RabbitMQ authentication vulnerability
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7 |
Affected:
Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:30.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"name": "95065",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95065"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"name": "DSA-3761",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3761"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7"
}
]
}
],
"datePublic": "2016-12-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RabbitMQ authentication vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-21T09:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"name": "95065",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95065"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"name": "DSA-3761",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3761"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"ID": "CVE-2016-9877",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "RabbitMQ authentication vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"name": "95065",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95065"
},
{
"name": "https://pivotal.io/security/cve-2016-9877",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"name": "DSA-3761",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3761"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2016-9877",
"datePublished": "2016-12-29T09:02:00",
"dateReserved": "2016-12-06T00:00:00",
"dateUpdated": "2024-08-06T03:07:30.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8786 (GCVE-0-2015-8786)
Vulnerability from nvd – Published: 2016-12-09 20:00 – Updated: 2024-08-06 08:29
VLAI?
Summary
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:21.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"name": "RHSA-2017:0532",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"name": "RHSA-2017:0530",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "RHSA-2017:0531",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"name": "RHSA-2017:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"name": "91508",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"name": "RHSA-2017:0226",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"name": "RHSA-2017:0532",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"name": "RHSA-2017:0530",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "RHSA-2017:0531",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"name": "RHSA-2017:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"name": "91508",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"name": "RHSA-2017:0226",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8786",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1",
"refsource": "CONFIRM",
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"name": "RHSA-2017:0532",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"name": "RHSA-2017:0530",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "RHSA-2017:0531",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"name": "RHSA-2017:0533",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"name": "https://github.com/rabbitmq/rabbitmq-management/issues/97",
"refsource": "CONFIRM",
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"name": "91508",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/91508"
},
{
"name": "RHSA-2017:0226",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8786",
"datePublished": "2016-12-09T20:00:00",
"dateReserved": "2016-01-25T00:00:00",
"dateUpdated": "2024-08-06T08:29:21.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}