All the vulnerabilites related to pivotal_software - rabbitmq
Vulnerability from fkie_nvd
Published
2016-12-29 09:59
Modified
2024-11-21 03:01
Severity ?
Summary
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0DE6A4B2-0445-470B-B18C-2CFEB2A52455",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B52805C-6F10-4BCD-AA74-3E0C0FF5E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5FE2FBE9-5D35-4273-8B83-A400D3A0136D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F9F3F6-B1AF-423F-9F96-4329589B323A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AECBDFAA-198F-4A47-835A-4E17C090DF02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D879D6FD-39D7-4589-8DE7-C8DAAE6F165E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE842A15-D676-4E00-AAD7-1088CE122876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F40845F9-00D8-44F0-8B2E-60094A3D37CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "06A7CF1B-B1AF-4875-B744-33BBC5275B4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "092649A0-17AA-47EE-8684-7B2B6AE19870",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E503CE6E-12B0-4307-86A8-86346E856738",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "29CB62E6-AAC1-43B6-9A34-C138890F4B5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A0D97FB5-0189-45ED-8239-0E3C238F7C96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6DF9A027-4AA8-451D-B26E-3597F8513B97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3F48BA73-6453-498F-B33F-B630791BD41D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8D7AE34E-A49F-47E0-80A3-E7CA8771EE18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B112A955-8FCC-4C17-90F2-13D7755CC397",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8B8C9320-CF79-4B9A-9370-CE2EEDA848CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E67B22C7-BD10-481C-B686-DB626B6E6434",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B735947D-3A98-45D2-A37D-560FD387B85B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "502AEBAA-CB1B-403A-B9F4-37FF027B892D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5B9EB256-80BF-4F63-8A80-0E7643DAC91D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F666302C-7D25-4230-B835-2B8852CD53F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B5A67824-47C5-494D-B8A8-7C7EDE51F979",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6530EC3A-9B67-41F2-B450-D0A8BB744AB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B23B1DC5-BB23-4C29-9B03-7AF5E7A33050",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F9677B53-A3D8-47DE-9BA5-4ACF5ED2F24D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9C9D13DF-807D-4E22-85A3-1674DFC570E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9713A545-2BC0-4761-90A2-F80575A99302",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "16967835-4E17-4260-B7FD-9A85B5BE43DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B58103B8-6CD1-4DA6-B5A3-D1289B95A951",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F57DA292-66F8-4BE5-AD3B-C4400D6D1A42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "385A9C6F-7933-4681-985E-31D7CED8B0FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6D7EC8A4-16CB-451F-B70B-BE232F1BCAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3BBF7FB2-3D52-45BE-813A-6F73DFAF9EC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "76B241B7-DE7C-4F95-A742-164020FCAED3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "09429E70-C395-4E95-9C83-5BDC8083C0AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9432656B-DB94-4E5F-83CB-38A9DA4FCA74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "37CD714F-30CD-4254-AF41-DEBEA9053706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "EEC4C125-7594-4960-BF88-977D3A95D6BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0DA89B77-6455-40CD-931E-BB07CD9A3166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "52350E43-4AB5-45ED-AC31-CC948DB87631",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "42856F22-74CD-4278-8EAA-2C6582A7E658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F1C7EE64-A51B-4D02-AAC4-20F4D3FCB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B0D8589A-B843-4130-8CC8-3D4C464CDB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "62016F87-0B15-4D1B-A2AB-FC4769F95DB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "7DF99EF7-AFCB-4CA5-8F28-ABC9118612CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "2D9F3D8B-DDB3-4175-AAD7-8F952E9A7D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5125B26-63EE-4FE8-97A1-DC6E11757ACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6AF3BAA0-0AEA-4B96-9C91-E51789844A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DD5F0850-F34B-4E79-A46D-B74F2E90C43A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DF23DD7D-16B4-408C-A825-C79487D79A0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E792D92E-07A1-4E48-90CB-5EC7C99E0AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B873D04B-704B-468D-A2B1-8E04653806F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "13C9004B-590A-45F0-8AA9-713928A8F5F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F22B84B3-438E-4E08-A02D-4A85C0C561B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "501A5F31-6DBA-4E90-8BAD-E1DFD0967D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3E99B39C-21AF-4F75-8D96-9B69F48C2A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3C6E80B6-857B-4D53-B107-8667EFCCE0EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "95C7294C-C9D3-40F8-B3C9-40424D5FC124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "66F85747-11AA-4133-B553-3C31152F0781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B425D53C-5713-401E-BE30-BCDE54F65857",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "758D57BA-3EA6-4036-8BDD-5BA2AAE25F77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "036437B9-1A7F-4C60-B9FE-B38173BC6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "408D457F-4DE5-4280-8379-083DA78ECF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C9D2B08D-9779-4E80-BAB6-870F81F24F7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "90F47590-6640-494F-8A93-A9AC70459DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "5D1F88E0-4047-4ADE-A898-88FE6358D659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8647C50B-41CB-45CE-89E7-BB4B2759DE40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9997C9C6-4918-4B74-92E4-012B58278DEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F6DB5A36-22F9-4A2C-9ED0-68D1434B06D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "33C0370F-77A5-4A51-ABF2-21793CD57043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4C3C0A88-66F6-46D5-9A79-BEFB654979D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1EC26CD6-172D-4DBE-8B23-59491E4765E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "669EA6CA-3F6C-4151-986D-173F1375B32B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected."
},
{
"lang": "es",
"value": "Un problema fue descubierto en Pivotal RabbitMQ 3.x en versiones anteriores a 3.5.8 y 3.6.x en versiones anteriores a 3.6.6 y RabbitMQ for PCF 1.5.x en versiones anteriores a 1.5.20, 1.6.x en versiones anteriores a 1.6.12 y 1.7.x en versiones anteriores a 1.7.7. Autenticaci\u00f3n de conexi\u00f3n MQTT (MQ Telemetry Transport) con un nombre de usuario/contrase\u00f1a tiene \u00e9xito si se provee un nombre de usuario existente pero la contrase\u00f1a es omitida de la petici\u00f3n de conexi\u00f3n. Conexiones que usan TLS con un certificado provisto por el cliente no est\u00e1n afectadas."
}
],
"id": "CVE-2016-9877",
"lastModified": "2024-11-21T03:01:56.197",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-29T09:59:00.790",
"references": [
{
"source": "security_alert@emc.com",
"url": "http://www.debian.org/security/2017/dsa-3761"
},
{
"source": "security_alert@emc.com",
"url": "http://www.securityfocus.com/bid/95065"
},
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"source": "security_alert@emc.com",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2017/dsa-3761"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/95065"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-09 20:59
Modified
2024-11-21 02:39
Severity ?
Summary
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | solaris | 11.3 | |
| pivotal_software | rabbitmq | 3.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*",
"matchCriteriaId": "79A602C5-61FE-47BA-9786-F045B6C6DBA8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter."
},
{
"lang": "es",
"value": "El plugin Management en RabbitMQ en versiones anteriores a 3.6.1 permite a usuarios remotos autenticados con ciertos privilegios provocar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s del par\u00e1metro (1) lengths_age o (2) lengths_incr."
}
],
"id": "CVE-2015-8786",
"lastModified": "2024-11-21T02:39:11.720",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-09T20:59:00.157",
"references": [
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-31 15:15
Modified
2024-11-21 05:34
Severity ?
Summary
RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@pivotal.io | https://tanzu.vmware.com/security/cve-2020-5419 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tanzu.vmware.com/security/cve-2020-5419 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | rabbitmq | * | |
| vmware | rabbitmq | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56069EBC-2F93-4786-9AE2-841A659FD9C0",
"versionEndExcluding": "3.7.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "071EE3DC-A29A-4A4E-8DE5-EE89951F56AC",
"versionEndExcluding": "3.8.7",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code."
},
{
"lang": "es",
"value": "RabbitMQ versiones 3.8.x anteriores a 3.8.7, son propensas a una vulnerabilidad de seguridad de plantaci\u00f3n de binario espec\u00edfico de Windows que permite una ejecuci\u00f3n de c\u00f3digo arbitraria. Un atacante con privilegios de escritura en el directorio de instalaci\u00f3n de RabbitMQ y acceso local en Windows podr\u00eda llevar a cabo un ataque de secuestro (plantaci\u00f3n) de binario local y ejecutar c\u00f3digo arbitrario"
}
],
"id": "CVE-2020-5419",
"lastModified": "2024-11-21T05:34:08.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.8,
"impactScore": 5.9,
"source": "security@pivotal.io",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-31T15:15:11.010",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-01-20 15:59
Modified
2024-11-21 02:21
Severity ?
Summary
RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | rabbitmq | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6E3E042-5086-4DB3-8804-CDE162723A5C",
"versionEndIncluding": "3.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header."
},
{
"lang": "es",
"value": "RabbitMQ anterior a 3.4.0 permite a atacantes remotos evadir la restricci\u00f3n loopback_users a trav\u00e9s de una cabecera X-Forwareded-For manipulada."
}
],
"id": "CVE-2014-9494",
"lastModified": "2024-11-21T02:21:01.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-01-20T15:59:08.233",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/oss-sec/2015/q1/30"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.rabbitmq.com/release-notes/README-3.4.0.txt"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99685"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/#%21topic/rabbitmq-users/DMkypbSvIyM"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2015/q1/30"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.rabbitmq.com/release-notes/README-3.4.0.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99685"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21topic/rabbitmq-users/DMkypbSvIyM"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-23 00:15
Modified
2024-11-21 04:20
Severity ?
Summary
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| vmware | rabbitmq | * | |
| fedoraproject | fedora | 30 | |
| fedoraproject | fedora | 31 | |
| redhat | openstack | 15 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9A203B97-4B5E-4851-BA2D-DC551F31F3D3",
"versionEndExcluding": "1.16.7",
"versionStartIncluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "A17844A1-5E52-4FB6-8261-BF32BA113733",
"versionEndExcluding": "1.17.4",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44D49187-912D-4F14-A2B4-BEEB9D278C9C",
"versionEndExcluding": "3.7.21",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "729FDF48-97C3-4DDE-8549-C90224BFEB48",
"versionEndExcluding": "3.8.1",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:15:*:*:*:*:*:*:*",
"matchCriteriaId": "70108B60-8817-40B4-8412-796A592E4E5E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
},
{
"lang": "es",
"value": "Pivotal RabbitMQ, versiones 3.7.x anteriores a 3.7.21 y versiones 3.8.x anteriores a 3.8.1, y RabbitMQ para Pivotal Platform, versiones 1.16.x anteriores a 1.16.7 y versiones 1.17.x versiones anteriores a 1.17.4, contienen un plugin de administraci\u00f3n web que es vulnerable a un ataque de denegaci\u00f3n de servicio. El encabezado \"X-Reason\" de HTTP puede ser aprovechado para insertar una cadena de formato Erlang maliciosa que expandir\u00e1 y consumir\u00e1 la pila, resultando en el bloqueo del servidor."
}
],
"id": "CVE-2019-11287",
"lastModified": "2024-11-21T04:20:51.303",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "security@pivotal.io",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-23T00:15:10.683",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"source": "security@pivotal.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"source": "security@pivotal.io",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security@pivotal.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"source": "security@pivotal.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11287"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-134"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-16 16:15
Modified
2024-11-21 04:20
Severity ?
Summary
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| pivotal_software | rabbitmq | * | |
| redhat | openstack | 15 | |
| redhat | openstack_for_ibm_power | 15 | |
| debian | debian_linux | 9.0 | |
| fedoraproject | fedora | 30 | |
| fedoraproject | fedora | 31 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F377A9-A488-4C3C-97E4-3A2B9E4D84C8",
"versionEndExcluding": "3.7.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "96BAE006-3986-4FD0-A47F-A6EA310D2970",
"versionEndExcluding": "1.15.13",
"versionStartIncluding": "1.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "362E2727-D4D4-4A78-BA9E-DFC344005F6C",
"versionEndExcluding": "1.16.6",
"versionStartIncluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F467BF7B-8098-4C81-ACDE-ABD4E66B5753",
"versionEndExcluding": "1.17.3",
"versionStartIncluding": "1.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:15:*:*:*:*:*:*:*",
"matchCriteriaId": "70108B60-8817-40B4-8412-796A592E4E5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_for_ibm_power:15:*:*:*:*:*:*:*",
"matchCriteriaId": "05002836-7DD1-4EF1-8949-4AC8A2268672",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
},
{
"lang": "es",
"value": "Pivotal RabbitMQ, versiones anteriores a v3.7.18 y RabbitMQ for PCF, versiones 1.15.x anteriores a 1.15.13, versiones 1.16.x anteriores a 1.16.6 y versiones 1.17.x anteriores a 1.17.3, contienen dos componentes, la p\u00e1gina de l\u00edmites de host virtual y la UI de administraci\u00f3n federation que no sanean apropiadamente la entrada del usuario. Un usuario malicioso autenticado remoto con acceso administrativo podr\u00eda crear un ataque de tipo cross-site scripting que obtendr\u00eda acceso a hosts virtuales e informaci\u00f3n de gesti\u00f3n de pol\u00edticas."
}
],
"id": "CVE-2019-11281",
"lastModified": "2024-11-21T04:20:50.700",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 1.4,
"source": "security@pivotal.io",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T16:15:10.340",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"source": "security@pivotal.io",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security@pivotal.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"source": "security@pivotal.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11281"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-12-10 19:29
Modified
2024-11-21 03:59
Severity ?
8.5 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security_alert@emc.com | https://pivotal.io/security/cve-2018-1279 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2018-1279 | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | rabbitmq | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8ECA11BE-4AD5-41B4-9828-037E3D36F94E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."
},
{
"lang": "es",
"value": "Pivotal RabbitMQ para PCF, en todas las versiones, emplea una cookie generada de forma determin\u00edstica compartida entre todas las m\u00e1quinas cuando se configura en un cl\u00faster multiinquilino. Un atacante remoto que pueda obtener informaci\u00f3n sobre la topolog\u00eda de la red puede adivinar esta cookie y, si tienen acceso a los puertos correctos en cualquier servidor del cl\u00faster MQ, puede emplear esta cookie para obtener el control total del cl\u00faster completo."
}
],
"id": "CVE-2018-1279",
"lastModified": "2024-11-21T03:59:31.903",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security_alert@emc.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-12-10T19:29:25.127",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2018-1279"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2018-1279"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-13 06:29
Modified
2024-11-21 03:26
Severity ?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security_alert@emc.com | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| security_alert@emc.com | https://pivotal.io/security/cve-2017-4965 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2017-4965 | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0DE6A4B2-0445-470B-B18C-2CFEB2A52455",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B52805C-6F10-4BCD-AA74-3E0C0FF5E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5FE2FBE9-5D35-4273-8B83-A400D3A0136D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F9F3F6-B1AF-423F-9F96-4329589B323A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AECBDFAA-198F-4A47-835A-4E17C090DF02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D879D6FD-39D7-4589-8DE7-C8DAAE6F165E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE842A15-D676-4E00-AAD7-1088CE122876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F40845F9-00D8-44F0-8B2E-60094A3D37CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3772B181-64DB-43AA-99C1-21378CF91E51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B58103B8-6CD1-4DA6-B5A3-D1289B95A951",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F57DA292-66F8-4BE5-AD3B-C4400D6D1A42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "385A9C6F-7933-4681-985E-31D7CED8B0FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6D7EC8A4-16CB-451F-B70B-BE232F1BCAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3BBF7FB2-3D52-45BE-813A-6F73DFAF9EC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "76B241B7-DE7C-4F95-A742-164020FCAED3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "09429E70-C395-4E95-9C83-5BDC8083C0AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9432656B-DB94-4E5F-83CB-38A9DA4FCA74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "37CD714F-30CD-4254-AF41-DEBEA9053706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "EEC4C125-7594-4960-BF88-977D3A95D6BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1647A9D6-2D1F-461C-B0B8-B8A2FD9AB823",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0DA89B77-6455-40CD-931E-BB07CD9A3166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "52350E43-4AB5-45ED-AC31-CC948DB87631",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "42856F22-74CD-4278-8EAA-2C6582A7E658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F1C7EE64-A51B-4D02-AAC4-20F4D3FCB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B0D8589A-B843-4130-8CC8-3D4C464CDB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "62016F87-0B15-4D1B-A2AB-FC4769F95DB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "7DF99EF7-AFCB-4CA5-8F28-ABC9118612CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "2D9F3D8B-DDB3-4175-AAD7-8F952E9A7D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5125B26-63EE-4FE8-97A1-DC6E11757ACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6AF3BAA0-0AEA-4B96-9C91-E51789844A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DD5F0850-F34B-4E79-A46D-B74F2E90C43A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DF23DD7D-16B4-408C-A825-C79487D79A0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E792D92E-07A1-4E48-90CB-5EC7C99E0AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B873D04B-704B-468D-A2B1-8E04653806F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "13C9004B-590A-45F0-8AA9-713928A8F5F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F22B84B3-438E-4E08-A02D-4A85C0C561B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "501A5F31-6DBA-4E90-8BAD-E1DFD0967D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3E99B39C-21AF-4F75-8D96-9B69F48C2A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.19:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0CFACCBF-6C53-4A7F-AC0F-8A2D03E6D6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3C6E80B6-857B-4D53-B107-8667EFCCE0EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "95C7294C-C9D3-40F8-B3C9-40424D5FC124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "66F85747-11AA-4133-B553-3C31152F0781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B425D53C-5713-401E-BE30-BCDE54F65857",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "758D57BA-3EA6-4036-8BDD-5BA2AAE25F77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "036437B9-1A7F-4C60-B9FE-B38173BC6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "408D457F-4DE5-4280-8379-083DA78ECF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C9D2B08D-9779-4E80-BAB6-870F81F24F7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "90F47590-6640-494F-8A93-A9AC70459DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "5D1F88E0-4047-4ADE-A898-88FE6358D659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8647C50B-41CB-45CE-89E7-BB4B2759DE40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4960386C-07D9-4367-945C-278595DB6C0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "A49DCDFA-4D98-4AEC-91A1-612B85DDFB04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4FEB47ED-5D35-4151-B087-8324339DE5FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "65A513AD-9236-42D7-9D04-F318A5815640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.16:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6647F298-1B11-46D8-B68A-6B284BB1F7AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9997C9C6-4918-4B74-92E4-012B58278DEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F6DB5A36-22F9-4A2C-9ED0-68D1434B06D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "33C0370F-77A5-4A51-ABF2-21793CD57043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4C3C0A88-66F6-46D5-9A79-BEFB654979D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1EC26CD6-172D-4DBE-8B23-59491E4765E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "669EA6CA-3F6C-4151-986D-173F1375B32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "69960839-7C03-4542-80D3-5C71795F8159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "82CA3E75-AFD0-486A-9EFA-71A8CA780632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "921374B4-B99F-4863-99D8-9FD938EF8EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5344CFC-3100-4407-93E4-65594C3741B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "06B09408-573D-47A8-BC84-724DD88976E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "ADF54631-875A-45C4-9C0A-4836AB1F8309",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en estas versiones de RabbitMQ de Pivotal: todas las versiones 3.4.x, todas las versiones 3.5.x y versiones 3.6.x anteriores a 3.6.9; y en estas versiones de RabbitMQ de Pivotal para PCF: todas las versiones 1.5.x, versiones 1.6.x anteriores a 1.6.18 y versiones 1.7.x anteriores a 1.7.15. Varios formularios en la interfaz de usuario de administraci\u00f3n de RabbitMQ son vulnerables a los ataques de tipo XSS."
}
],
"id": "CVE-2017-4967",
"lastModified": "2024-11-21T03:26:46.373",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-13T06:29:00.520",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4965"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-13 06:29
Modified
2024-11-21 03:26
Severity ?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security_alert@emc.com | http://www.securityfocus.com/bid/98394 | Third Party Advisory, VDB Entry | |
| security_alert@emc.com | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| security_alert@emc.com | https://pivotal.io/security/cve-2017-4965 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/98394 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2017-4965 | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0DE6A4B2-0445-470B-B18C-2CFEB2A52455",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B52805C-6F10-4BCD-AA74-3E0C0FF5E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5FE2FBE9-5D35-4273-8B83-A400D3A0136D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F9F3F6-B1AF-423F-9F96-4329589B323A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AECBDFAA-198F-4A47-835A-4E17C090DF02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D879D6FD-39D7-4589-8DE7-C8DAAE6F165E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE842A15-D676-4E00-AAD7-1088CE122876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F40845F9-00D8-44F0-8B2E-60094A3D37CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3772B181-64DB-43AA-99C1-21378CF91E51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B58103B8-6CD1-4DA6-B5A3-D1289B95A951",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F57DA292-66F8-4BE5-AD3B-C4400D6D1A42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "385A9C6F-7933-4681-985E-31D7CED8B0FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6D7EC8A4-16CB-451F-B70B-BE232F1BCAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3BBF7FB2-3D52-45BE-813A-6F73DFAF9EC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "76B241B7-DE7C-4F95-A742-164020FCAED3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "09429E70-C395-4E95-9C83-5BDC8083C0AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9432656B-DB94-4E5F-83CB-38A9DA4FCA74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "37CD714F-30CD-4254-AF41-DEBEA9053706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "EEC4C125-7594-4960-BF88-977D3A95D6BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1647A9D6-2D1F-461C-B0B8-B8A2FD9AB823",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0DA89B77-6455-40CD-931E-BB07CD9A3166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "52350E43-4AB5-45ED-AC31-CC948DB87631",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "42856F22-74CD-4278-8EAA-2C6582A7E658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F1C7EE64-A51B-4D02-AAC4-20F4D3FCB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B0D8589A-B843-4130-8CC8-3D4C464CDB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "62016F87-0B15-4D1B-A2AB-FC4769F95DB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "7DF99EF7-AFCB-4CA5-8F28-ABC9118612CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "2D9F3D8B-DDB3-4175-AAD7-8F952E9A7D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5125B26-63EE-4FE8-97A1-DC6E11757ACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6AF3BAA0-0AEA-4B96-9C91-E51789844A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DD5F0850-F34B-4E79-A46D-B74F2E90C43A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DF23DD7D-16B4-408C-A825-C79487D79A0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E792D92E-07A1-4E48-90CB-5EC7C99E0AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B873D04B-704B-468D-A2B1-8E04653806F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "13C9004B-590A-45F0-8AA9-713928A8F5F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F22B84B3-438E-4E08-A02D-4A85C0C561B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "501A5F31-6DBA-4E90-8BAD-E1DFD0967D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3E99B39C-21AF-4F75-8D96-9B69F48C2A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.19:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0CFACCBF-6C53-4A7F-AC0F-8A2D03E6D6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3C6E80B6-857B-4D53-B107-8667EFCCE0EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "95C7294C-C9D3-40F8-B3C9-40424D5FC124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "66F85747-11AA-4133-B553-3C31152F0781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B425D53C-5713-401E-BE30-BCDE54F65857",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "758D57BA-3EA6-4036-8BDD-5BA2AAE25F77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "036437B9-1A7F-4C60-B9FE-B38173BC6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "408D457F-4DE5-4280-8379-083DA78ECF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C9D2B08D-9779-4E80-BAB6-870F81F24F7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "90F47590-6640-494F-8A93-A9AC70459DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "5D1F88E0-4047-4ADE-A898-88FE6358D659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8647C50B-41CB-45CE-89E7-BB4B2759DE40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4960386C-07D9-4367-945C-278595DB6C0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "A49DCDFA-4D98-4AEC-91A1-612B85DDFB04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4FEB47ED-5D35-4151-B087-8324339DE5FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "65A513AD-9236-42D7-9D04-F318A5815640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.16:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6647F298-1B11-46D8-B68A-6B284BB1F7AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9997C9C6-4918-4B74-92E4-012B58278DEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F6DB5A36-22F9-4A2C-9ED0-68D1434B06D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "33C0370F-77A5-4A51-ABF2-21793CD57043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4C3C0A88-66F6-46D5-9A79-BEFB654979D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1EC26CD6-172D-4DBE-8B23-59491E4765E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "669EA6CA-3F6C-4151-986D-173F1375B32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "69960839-7C03-4542-80D3-5C71795F8159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "82CA3E75-AFD0-486A-9EFA-71A8CA780632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "921374B4-B99F-4863-99D8-9FD938EF8EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5344CFC-3100-4407-93E4-65594C3741B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "06B09408-573D-47A8-BC84-724DD88976E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "ADF54631-875A-45C4-9C0A-4836AB1F8309",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en estas versiones de RabbitMQ de Pivotal: todas las versiones 3.4.x, todas las versiones 3.5.x y versiones 3.6.x anteriores a 3.6.9; y en estas versiones de RabbitMQ de Pivotal para PCF: todas las versiones 1.5.x, versiones 1.6.x anteriores a 1.6.18 y versiones 1.7.x anteriores a 1.7.15. Varios formularios en la interfaz de usuario de administraci\u00f3n de RabbitMQ son vulnerables a los ataques de tipo XSS."
}
],
"id": "CVE-2017-4965",
"lastModified": "2024-11-21T03:26:46.063",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-13T06:29:00.457",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"source": "security_alert@emc.com",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4965"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-09-14 20:29
Modified
2024-11-21 03:42
Severity ?
Summary
Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security_alert@emc.com | https://pivotal.io/security/cve-2018-11087 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2018-11087 | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:*:*:*:*:*:*:*:*",
"matchCriteriaId": "566164E6-65C1-4C27-99DB-16C4D0C6AB76",
"versionEndExcluding": "1.7.10",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41A3EA77-DF58-4670-8609-C0FA7A407C6E",
"versionEndExcluding": "2.0.6",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76B96B99-977B-4EF7-B02B-C3EC596F8B33",
"versionEndExcluding": "4.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "927F7576-0366-4EA6-B26E-8B4B438C1407",
"versionEndExcluding": "5.4.0",
"versionStartIncluding": "4.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit."
},
{
"lang": "es",
"value": "Pivotal Spring AMQP, en versiones 1.x anteriores a la 1.7.10 y versiones 2.x anteriores a la 2.0.6, expone una vulnerabilidad Man-in-the-Middle (MitM) debido a la falta de validaci\u00f3n de nombres de host. Un usuario malicioso que pueda interceptar tr\u00e1fico ser\u00eda capaz de ver los datos en tr\u00e1nsito."
}
],
"id": "CVE-2018-11087",
"lastModified": "2024-11-21T03:42:39.100",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-14T20:29:00.417",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2018-11087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2018-11087"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-13 06:29
Modified
2024-11-21 03:26
Severity ?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security_alert@emc.com | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| security_alert@emc.com | https://pivotal.io/security/cve-2017-4966 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2017-4966 | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0DE6A4B2-0445-470B-B18C-2CFEB2A52455",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B52805C-6F10-4BCD-AA74-3E0C0FF5E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5FE2FBE9-5D35-4273-8B83-A400D3A0136D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B11709F3-3F1C-4FC2-9F2D-87951EC04308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F9F3F6-B1AF-423F-9F96-4329589B323A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AECBDFAA-198F-4A47-835A-4E17C090DF02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D879D6FD-39D7-4589-8DE7-C8DAAE6F165E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE842A15-D676-4E00-AAD7-1088CE122876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F40845F9-00D8-44F0-8B2E-60094A3D37CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:3.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3772B181-64DB-43AA-99C1-21378CF91E51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B58103B8-6CD1-4DA6-B5A3-D1289B95A951",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F57DA292-66F8-4BE5-AD3B-C4400D6D1A42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "385A9C6F-7933-4681-985E-31D7CED8B0FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6D7EC8A4-16CB-451F-B70B-BE232F1BCAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3BBF7FB2-3D52-45BE-813A-6F73DFAF9EC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "76B241B7-DE7C-4F95-A742-164020FCAED3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "09429E70-C395-4E95-9C83-5BDC8083C0AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9432656B-DB94-4E5F-83CB-38A9DA4FCA74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "37CD714F-30CD-4254-AF41-DEBEA9053706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "EEC4C125-7594-4960-BF88-977D3A95D6BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:rabbitmq:3.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1647A9D6-2D1F-461C-B0B8-B8A2FD9AB823",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0DA89B77-6455-40CD-931E-BB07CD9A3166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "52350E43-4AB5-45ED-AC31-CC948DB87631",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "42856F22-74CD-4278-8EAA-2C6582A7E658",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F1C7EE64-A51B-4D02-AAC4-20F4D3FCB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B0D8589A-B843-4130-8CC8-3D4C464CDB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "62016F87-0B15-4D1B-A2AB-FC4769F95DB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "7DF99EF7-AFCB-4CA5-8F28-ABC9118612CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "2D9F3D8B-DDB3-4175-AAD7-8F952E9A7D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5125B26-63EE-4FE8-97A1-DC6E11757ACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6AF3BAA0-0AEA-4B96-9C91-E51789844A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DD5F0850-F34B-4E79-A46D-B74F2E90C43A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "DF23DD7D-16B4-408C-A825-C79487D79A0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E792D92E-07A1-4E48-90CB-5EC7C99E0AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B873D04B-704B-468D-A2B1-8E04653806F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "13C9004B-590A-45F0-8AA9-713928A8F5F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F22B84B3-438E-4E08-A02D-4A85C0C561B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "501A5F31-6DBA-4E90-8BAD-E1DFD0967D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3E99B39C-21AF-4F75-8D96-9B69F48C2A39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.5.19:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0CFACCBF-6C53-4A7F-AC0F-8A2D03E6D6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "3C6E80B6-857B-4D53-B107-8667EFCCE0EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "95C7294C-C9D3-40F8-B3C9-40424D5FC124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "66F85747-11AA-4133-B553-3C31152F0781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "B425D53C-5713-401E-BE30-BCDE54F65857",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "758D57BA-3EA6-4036-8BDD-5BA2AAE25F77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "036437B9-1A7F-4C60-B9FE-B38173BC6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "408D457F-4DE5-4280-8379-083DA78ECF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C9D2B08D-9779-4E80-BAB6-870F81F24F7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "90F47590-6640-494F-8A93-A9AC70459DD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "5D1F88E0-4047-4ADE-A898-88FE6358D659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8647C50B-41CB-45CE-89E7-BB4B2759DE40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.12:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4960386C-07D9-4367-945C-278595DB6C0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "A49DCDFA-4D98-4AEC-91A1-612B85DDFB04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4FEB47ED-5D35-4151-B087-8324339DE5FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.15:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "65A513AD-9236-42D7-9D04-F318A5815640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.16:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6647F298-1B11-46D8-B68A-6B284BB1F7AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9997C9C6-4918-4B74-92E4-012B58278DEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F6DB5A36-22F9-4A2C-9ED0-68D1434B06D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "33C0370F-77A5-4A51-ABF2-21793CD57043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4C3C0A88-66F6-46D5-9A79-BEFB654979D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1EC26CD6-172D-4DBE-8B23-59491E4765E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "669EA6CA-3F6C-4151-986D-173F1375B32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.7:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "69960839-7C03-4542-80D3-5C71795F8159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.8:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "82CA3E75-AFD0-486A-9EFA-71A8CA780632",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.9:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "921374B4-B99F-4863-99D8-9FD938EF8EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.10:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C5344CFC-3100-4407-93E4-65594C3741B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.13:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "06B09408-573D-47A8-BC84-724DD88976E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.7.14:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "ADF54631-875A-45C4-9C0A-4836AB1F8309",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser\u0027s local storage without expiration, making it possible to retrieve them using a chained attack."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en estas versiones de RabbitMQ de Pivotal: todas las versiones 3.4.x, todas las versiones 3.5.x y versiones 3.6.x anteriores a 3.6.9; y en estas versiones de RabbitMQ de Pivotal para PCF: todas las versiones 1.5.x, versiones 1.6.x anteriores a 1.6.18 y versiones 1.7.x anteriores a 1.7.15. La interfaz de usuario de administraci\u00f3n de RabbitMQ almacena las credenciales de los usuarios registrados en el almacenamiento local de un navegador sin expiraci\u00f3n, lo que hace posible recuperarlas mediante un ataque encadenado."
}
],
"id": "CVE-2017-4966",
"lastModified": "2024-11-21T03:26:46.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-13T06:29:00.503",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2017-4966"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-09-18 02:59
Modified
2024-11-21 02:42
Severity ?
Summary
The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | rabbitmq | 1.6.0 | |
| pivotal_software | rabbitmq | 1.6.1 | |
| pivotal_software | rabbitmq | 1.6.2 | |
| pivotal_software | rabbitmq | 1.6.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "09CE6DEE-069D-4793-AAE2-0BF494CB391C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EE1AA9B4-7390-451D-8A5A-2D770F48CFBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D6778D8B-58F7-4BD7-BB80-C024E4836F4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "252B68ED-7E5A-4B0D-A18F-B83F69F7CCAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line."
},
{
"lang": "es",
"value": "El componente metrics-collection en RabbitMQ para Pivotal Cloud Foundry (PCF) 1.6.x en versiones anteriores a 1.6.4 registra las l\u00edneas de comandos de comandos fallidos, lo que podr\u00eda permitir a atacantes dependientes de contexto obtener informaci\u00f3n sensible mediante la lectura de datos de registro, como se demuestra por un mensaje syslog que contiene credenciales de una l\u00ednea de comandos."
}
],
"id": "CVE-2016-0929",
"lastModified": "2024-11-21T02:42:39.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-09-18T02:59:09.980",
"references": [
{
"source": "security_alert@emc.com",
"url": "http://www.securityfocus.com/bid/91801"
},
{
"source": "security_alert@emc.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2016-0929"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/91801"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2016-0929"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2017-4967
Vulnerability from cvelistv5
Published
2017-06-13 06:00
Modified
2024-08-05 14:47
Severity ?
EPSS score ?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pivotal.io/security/cve-2017-4965 | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Pivotal RabbitMQ |
Version: Pivotal RabbitMQ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:43.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS vulnerabilities in RabbitMQ management UI",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:14",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-4967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS vulnerabilities in RabbitMQ management UI"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2017-4965",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4967",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:43.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-4966
Vulnerability from cvelistv5
Published
2017-06-13 06:00
Modified
2024-08-05 14:47
Severity ?
EPSS score ?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pivotal.io/security/cve-2017-4966 | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Pivotal RabbitMQ |
Version: Pivotal RabbitMQ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:44.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser\u0027s local storage without expiration, making it possible to retrieve them using a chained attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "local storage of credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:22",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-4966",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser\u0027s local storage without expiration, making it possible to retrieve them using a chained attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "local storage of credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2017-4966",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4966",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:44.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11281
Vulnerability from cvelistv5
Published
2019-10-16 15:23
Modified
2024-09-16 19:05
Severity ?
EPSS score ?
Summary
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pivotal.io/security/cve-2019-11281 | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/ | vendor-advisory, x_refsource_FEDORA | |
| https://access.redhat.com/errata/RHSA-2020:0078 | vendor-advisory, x_refsource_REDHAT | |
| https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Pivotal | RabbitMQ |
Version: prior to v3.7.18 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "prior to v3.7.18"
}
]
},
{
"product": "RabbitMQ for PCF",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "1.15.x prior to 1.15.13"
},
{
"status": "affected",
"version": "11.16.x prior to 1.16.6"
},
{
"status": "affected",
"version": "1.17.x prior to 1.17.3"
}
]
}
],
"datePublic": "2019-10-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting (XSS) - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:24",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ XSS attack",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-10-15T20:59:25.000Z",
"ID": "CVE-2019-11281",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ XSS attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"version_value": "prior to v3.7.18"
}
]
}
},
{
"product_name": "RabbitMQ for PCF",
"version": {
"version_data": [
{
"version_value": "1.15.x prior to 1.15.13"
},
{
"version_value": "11.16.x prior to 1.16.6"
},
{
"version_value": "1.17.x prior to 1.17.3"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting (XSS) - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11281",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11281",
"datePublished": "2019-10-16T15:23:47.309415Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T19:05:38.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-5419
Vulnerability from cvelistv5
Published
2020-08-31 15:05
Modified
2024-09-16 23:31
Severity ?
EPSS score ?
Summary
RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://tanzu.vmware.com/security/cve-2020-5419 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | VMware Tanzu | RabbitMQ |
Version: 3.7 < 3.7.28 Version: 3.8 < 3.8.7 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "3.7.28",
"status": "affected",
"version": "3.7",
"versionType": "custom"
},
{
"lessThan": "3.8.7",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-31T15:05:19",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ arbitrary code execution using local binary planting",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-08-27T00:00:00.000Z",
"ID": "CVE-2020-5419",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ arbitrary code execution using local binary planting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "3.7.28"
},
{
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "3.8.7"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution. An attacker with write privileges to the RabbitMQ installation directory and local access on Windows could carry out a local binary hijacking (planting) attack and execute arbitrary code."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-427: Uncontrolled Search Path Element"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5419",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5419"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5419",
"datePublished": "2020-08-31T15:05:20.057877Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T23:31:18.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-9494
Vulnerability from cvelistv5
Published
2015-01-20 15:00
Modified
2024-08-06 13:47
Severity ?
EPSS score ?
Summary
RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/99685 | vdb-entry, x_refsource_XF | |
| https://groups.google.com/forum/#%21topic/rabbitmq-users/DMkypbSvIyM | x_refsource_CONFIRM | |
| http://seclists.org/oss-sec/2015/q1/30 | mailing-list, x_refsource_MLIST | |
| http://www.rabbitmq.com/release-notes/README-3.4.0.txt | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:47:41.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "rabbitmq-cve20149494-sec-bypass(99685)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99685"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/rabbitmq-users/DMkypbSvIyM"
},
{
"name": "[oss-security] 20150103 Re: CVE request: insufficient \u0027X-Forwarded-For\u0027 header validation in rabbitmq-server",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2015/q1/30"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.rabbitmq.com/release-notes/README-3.4.0.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "rabbitmq-cve20149494-sec-bypass(99685)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99685"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://groups.google.com/forum/#%21topic/rabbitmq-users/DMkypbSvIyM"
},
{
"name": "[oss-security] 20150103 Re: CVE request: insufficient \u0027X-Forwarded-For\u0027 header validation in rabbitmq-server",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2015/q1/30"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.rabbitmq.com/release-notes/README-3.4.0.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-9494",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "rabbitmq-cve20149494-sec-bypass(99685)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99685"
},
{
"name": "https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM",
"refsource": "CONFIRM",
"url": "https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM"
},
{
"name": "[oss-security] 20150103 Re: CVE request: insufficient \u0027X-Forwarded-For\u0027 header validation in rabbitmq-server",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2015/q1/30"
},
{
"name": "http://www.rabbitmq.com/release-notes/README-3.4.0.txt",
"refsource": "CONFIRM",
"url": "http://www.rabbitmq.com/release-notes/README-3.4.0.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-9494",
"datePublished": "2015-01-20T15:00:00",
"dateReserved": "2015-01-03T00:00:00",
"dateUpdated": "2024-08-06T13:47:41.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-0929
Vulnerability from cvelistv5
Published
2016-09-18 01:00
Modified
2024-08-05 22:38
Severity ?
EPSS score ?
Summary
The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pivotal.io/security/cve-2016-0929 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/91801 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:38:40.995Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2016-0929"
},
{
"name": "91801",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91801"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T19:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2016-0929"
},
{
"name": "91801",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/91801"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"ID": "CVE-2016-0929",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2016-0929",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2016-0929"
},
{
"name": "91801",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/91801"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2016-0929",
"datePublished": "2016-09-18T01:00:00",
"dateReserved": "2015-12-17T00:00:00",
"dateUpdated": "2024-08-05T22:38:40.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-1279
Vulnerability from cvelistv5
Published
2018-12-10 19:00
Modified
2024-09-17 00:37
Severity ?
EPSS score ?
Summary
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pivotal.io/security/cve-2018-1279 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Pivotal | RabbitMq for PCF |
Version: 1 < all versions* |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-1279"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMq for PCF",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "all versions*",
"status": "affected",
"version": "1",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-12-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use of Insufficiently Random Values",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-10T18:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-1279"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ cluster compromise due to deterministically generated cookie",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2018-12-05T00:00:00.000Z",
"ID": "CVE-2018-1279",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ cluster compromise due to deterministically generated cookie"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMq for PCF",
"version": {
"version_data": [
{
"affected": "\u003e",
"version_affected": "\u003e",
"version_name": "all versions",
"version_value": "1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use of Insufficiently Random Values"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2018-1279",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-1279"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1279",
"datePublished": "2018-12-10T19:00:00Z",
"dateReserved": "2017-12-06T00:00:00",
"dateUpdated": "2024-09-17T00:37:15.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-11087
Vulnerability from cvelistv5
Published
2018-09-14 20:00
Modified
2024-09-17 03:58
Severity ?
EPSS score ?
Summary
Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pivotal.io/security/cve-2018-11087 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Pivotal | Spring AMQP |
Version: 1.x < 1.7.10 Version: 2.x < 2.0.6 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:54:36.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-11087"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring AMQP",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.7.10",
"status": "affected",
"version": "1.x",
"versionType": "custom"
},
{
"lessThan": "2.0.6",
"status": "affected",
"version": "2.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-09-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "TLS validation error",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-14T19:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-11087"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TLS validation error",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2018-09-11T04:00:00.000Z",
"ID": "CVE-2018-11087",
"STATE": "PUBLIC",
"TITLE": "TLS validation error"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring AMQP",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.x",
"version_value": "1.7.10"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.x",
"version_value": "2.0.6"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "TLS validation error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2018-11087",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-11087"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-11087",
"datePublished": "2018-09-14T20:00:00Z",
"dateReserved": "2018-05-14T00:00:00",
"dateUpdated": "2024-09-17T03:58:41.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-4965
Vulnerability from cvelistv5
Published
2017-06-13 06:00
Modified
2024-08-05 14:47
Severity ?
EPSS score ?
Summary
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/98394 | vdb-entry, x_refsource_BID | |
| https://pivotal.io/security/cve-2017-4965 | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Pivotal RabbitMQ |
Version: Pivotal RabbitMQ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:43.344Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "98394",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS vulnerabilities in RabbitMQ management UI",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:16",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "98394",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98394"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-4965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS vulnerabilities in RabbitMQ management UI"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "98394",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98394"
},
{
"name": "https://pivotal.io/security/cve-2017-4965",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4965",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:43.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-9877
Vulnerability from cvelistv5
Published
2016-12-29 09:02
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03880en_us | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95065 | vdb-entry, x_refsource_BID | |
| https://pivotal.io/security/cve-2016-9877 | x_refsource_CONFIRM | |
| http://www.debian.org/security/2017/dsa-3761 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7 |
Version: Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:30.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"name": "95065",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95065"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"name": "DSA-3761",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3761"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7"
}
]
}
],
"datePublic": "2016-12-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RabbitMQ authentication vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-21T09:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"name": "95065",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95065"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"name": "DSA-3761",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3761"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"ID": "CVE-2016-9877",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7",
"version": {
"version_data": [
{
"version_value": "Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6; RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12 and 1.7.x before 1.7.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "RabbitMQ authentication vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03880en_us"
},
{
"name": "95065",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95065"
},
{
"name": "https://pivotal.io/security/cve-2016-9877",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2016-9877"
},
{
"name": "DSA-3761",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3761"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2016-9877",
"datePublished": "2016-12-29T09:02:00",
"dateReserved": "2016-12-06T00:00:00",
"dateUpdated": "2024-08-06T03:07:30.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-8786
Vulnerability from cvelistv5
Published
2016-12-09 20:00
Modified
2024-08-06 08:29
Severity ?
EPSS score ?
Summary
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1 | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2017-0532.html | vendor-advisory, x_refsource_REDHAT | |
| http://rhn.redhat.com/errata/RHSA-2017-0530.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2017-0531.html | vendor-advisory, x_refsource_REDHAT | |
| http://rhn.redhat.com/errata/RHSA-2017-0533.html | vendor-advisory, x_refsource_REDHAT | |
| https://github.com/rabbitmq/rabbitmq-management/issues/97 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/91508 | vdb-entry, x_refsource_BID | |
| http://rhn.redhat.com/errata/RHSA-2017-0226.html | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:21.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"name": "RHSA-2017:0532",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"name": "RHSA-2017:0530",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "RHSA-2017:0531",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"name": "RHSA-2017:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"name": "91508",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"name": "RHSA-2017:0226",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"name": "RHSA-2017:0532",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"name": "RHSA-2017:0530",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "RHSA-2017:0531",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"name": "RHSA-2017:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"name": "91508",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/91508"
},
{
"name": "RHSA-2017:0226",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8786",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1",
"refsource": "CONFIRM",
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1"
},
{
"name": "RHSA-2017:0532",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0532.html"
},
{
"name": "RHSA-2017:0530",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0530.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "RHSA-2017:0531",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0531.html"
},
{
"name": "RHSA-2017:0533",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0533.html"
},
{
"name": "https://github.com/rabbitmq/rabbitmq-management/issues/97",
"refsource": "CONFIRM",
"url": "https://github.com/rabbitmq/rabbitmq-management/issues/97"
},
{
"name": "91508",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/91508"
},
{
"name": "RHSA-2017:0226",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0226.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8786",
"datePublished": "2016-12-09T20:00:00",
"dateReserved": "2016-01-25T00:00:00",
"dateUpdated": "2024-08-06T08:29:21.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11287
Vulnerability from cvelistv5
Published
2019-11-22 23:26
Modified
2024-09-16 22:24
Severity ?
EPSS score ?
Summary
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pivotal.io/security/cve-2019-11287 | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/ | vendor-advisory, x_refsource_FEDORA | |
| https://access.redhat.com/errata/RHSA-2020:0078 | vendor-advisory, x_refsource_REDHAT | |
| https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Pivotal | RabbitMQ for Pivotal Platform |
Version: 1.16 < 1.16.7 Version: 1.17 < 1.17.4 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.092Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ for Pivotal Platform",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.16.7",
"status": "affected",
"version": "1.16",
"versionType": "custom"
},
{
"lessThan": "1.17.4",
"status": "affected",
"version": "1.17",
"versionType": "custom"
}
]
},
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v3.7.21",
"status": "affected",
"version": "3.7",
"versionType": "custom"
},
{
"lessThan": "v3.8.1",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:18",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ Web Management Plugin DoS via heap overflow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-11-22T20:51:56.000Z",
"ID": "CVE-2019-11287",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ Web Management Plugin DoS via heap overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ for Pivotal Platform",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.16",
"version_value": "1.16.7"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.17",
"version_value": "1.17.4"
}
]
}
},
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "v3.7.21"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "v3.8.1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11287",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11287",
"datePublished": "2019-11-22T23:26:08.880149Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T22:24:51.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}