CVSS: 7.8EPSS: 0%CPEs: 60EXPL: 0CVE-2019-3800 – CF CLI writes the client id and secret to config file
https://notcve.org/view.php?id=CVE-2019-3800
05 Aug 2019 — CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials. La CLI de CF anterior a versión v6.45.0 (versión de lanzamiento bosh 1.16.0), escribe el id y el secreto del cliente hacia su archivo de configuración cuando el usuario se autentica con el flag --... • https://pivotal.io/security/cve-2019-3800 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2018-11087 – TLS validation error
https://notcve.org/view.php?id=CVE-2018-11087
14 Sep 2018 — Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit. Pivotal Spring AMQP, en versiones 1.x anteriores a la 1.7.10 y versiones 2.x anteriores a la 2.0.6, expone una vulnerabilidad Man-in-the-Middle (MitM) debido a la falta de validación de nombres de host. Un usuario malicioso que pueda interceptar tráfico ... • https://pivotal.io/security/cve-2018-11087 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 69EXPL: 0CVE-2017-4966 – Ubuntu Security Notice USN-6265-1
https://notcve.org/view.php?id=CVE-2017-4966
13 Jun 2017 — An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack. Se detectó un problema en estas versiones de RabbitMQ de Pivotal: todas las versiones ... • https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 69EXPL: 0CVE-2017-4967
https://notcve.org/view.php?id=CVE-2017-4967
13 Jun 2017 — An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Se detectó un problema en estas versiones de RabbitMQ de Pivotal: todas las versiones 3.4.x, todas las versiones 3.5.x y versiones 3.6.x anteriores a 3.6.9; y en estas versiones... • https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 69EXPL: 0CVE-2017-4965
https://notcve.org/view.php?id=CVE-2017-4965
13 Jun 2017 — An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Se detectó un problema en estas versiones de RabbitMQ de Pivotal: todas las versiones 3.4.x, todas las versiones 3.5.x y versiones 3.6.x anteriores a 3.6.9; y en estas versiones... • http://www.securityfocus.com/bid/98394 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 76EXPL: 0CVE-2016-9877 – Ubuntu Security Notice USN-3374-1
https://notcve.org/view.php?id=CVE-2016-9877
29 Dec 2016 — An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected. Un problema fue descubierto en Pivotal RabbitMQ 3.x en versiones anteriores... • http://www.debian.org/security/2017/dsa-3761 • CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2015-8786 – rabbitmq-server: DoS via lengths_age or lengths_incr parameter in the management plugin
https://notcve.org/view.php?id=CVE-2015-8786
09 Dec 2016 — The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter. El plugin Management en RabbitMQ en versiones anteriores a 3.6.1 permite a usuarios remotos autenticados con ciertos privilegios provocar una denegación de servicio (consumo de recursos) a través del parámetro (1) lengths_age o (2) lengths_incr. A resource-consumption flaw was found in RabbitMQ Serv... • http://rhn.redhat.com/errata/RHSA-2017-0226.html • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0929
https://notcve.org/view.php?id=CVE-2016-0929
18 Sep 2016 — The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line. El componente metrics-collection en RabbitMQ para Pivotal Cloud Foundry (PCF) 1.6.x en versiones anteriores a 1.6.4 registra las líneas de comandos de comandos fallidos, lo que podría permiti... • http://www.securityfocus.com/bid/91801 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2014-9568
https://notcve.org/view.php?id=CVE-2014-9568
03 Feb 2015 — puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value in the facts of a node, which allows local users to obtain sensitive information as demonstrated by using Facter. puppetlabs-rabbitmq 3.0 hasta 4.1 almacena el valor de la cookie RabbitMQ Erlang en los hechos de un nodo, lo que permite a usuarios locales obtener información sensible como fue demostrado mediante el uso de Facter. • http://puppetlabs.com/security/cve/cve-2014-9568 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 44EXPL: 0CVE-2014-9650 – RabbitMQ: /api/definitions response splitting vulnerability
https://notcve.org/view.php?id=CVE-2014-9650
27 Jan 2015 — CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions. Vulnerabilidad de inyección CRLF en el plugin de gestión en RabbitMQ 2.1.0 hasta 3.4.x anterior a 3.4.1 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y realizar ataques de división de respuestas HTTP a través del parámetro download en api/definiti... • http://rhn.redhat.com/errata/RHSA-2016-0308.html • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •