Improper access control in RabbitMQ - CVE-2016-9877
Published: December 29, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU39960
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-9877
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: VMware, Inc
Affected software:
RabbitMQ
RabbitMQ
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
How to mitigate CVE-2016-9877
Install update from vendor's website.