CVSS: 9.8EPSS: 0%CPEs: 76EXPL: 0CVE-2016-9877
https://notcve.org/view.php?id=CVE-2016-9877
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected. Un problema fue descubierto en Pivotal RabbitMQ 3.x en versiones anteriores a 3.5.8 y 3.6.x en versiones anteriores a 3.6.6 y RabbitMQ for PCF 1.5.x en versiones anteriores a 1.5.20, 1.6.x en versiones anteriores a 1.6.12 y 1.7.x en versiones anteriores a 1.7.7. Autenticación de conexión MQTT (MQ Telemetry Transport) con un nombre de usuario/contraseña tiene éxito si se provee un nombre de usuario existente pero la contraseña es omitida de la petición de conexión. • http://www.debian.org/security/2017/dsa-3761 http://www.securityfocus.com/bid/95065 https://pivotal.io/security/cve-2016-9877 https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03880en_us • CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2015-8786 – rabbitmq-server: DoS via lengths_age or lengths_incr parameter in the management plugin
https://notcve.org/view.php?id=CVE-2015-8786
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter. El plugin Management en RabbitMQ en versiones anteriores a 3.6.1 permite a usuarios remotos autenticados con ciertos privilegios provocar una denegación de servicio (consumo de recursos) a través del parámetro (1) lengths_age o (2) lengths_incr. A resource-consumption flaw was found in RabbitMQ Server, where the lengths_age or lengths_incr parameters were not validated in the management plugin. Remote, authenticated users with certain privileges could exploit this flaw to cause a denial of service by passing values which were too large. • http://rhn.redhat.com/errata/RHSA-2017-0226.html http://rhn.redhat.com/errata/RHSA-2017-0530.html http://rhn.redhat.com/errata/RHSA-2017-0531.html http://rhn.redhat.com/errata/RHSA-2017-0532.html http://rhn.redhat.com/errata/RHSA-2017-0533.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/91508 https://github.com/rabbitmq/rabbitmq-management/issues/97 https://github.com/rabbitmq/rabbitmq-server/releases/tag/ • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0929
https://notcve.org/view.php?id=CVE-2016-0929
The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line. El componente metrics-collection en RabbitMQ para Pivotal Cloud Foundry (PCF) 1.6.x en versiones anteriores a 1.6.4 registra las líneas de comandos de comandos fallidos, lo que podría permitir a atacantes dependientes de contexto obtener información sensible mediante la lectura de datos de registro, como se demuestra por un mensaje syslog que contiene credenciales de una línea de comandos. • http://www.securityfocus.com/bid/91801 https://pivotal.io/security/cve-2016-0929 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.1EPSS: 0%CPEs: 3EXPL: 0CVE-2014-9568
https://notcve.org/view.php?id=CVE-2014-9568
puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value in the facts of a node, which allows local users to obtain sensitive information as demonstrated by using Facter. puppetlabs-rabbitmq 3.0 hasta 4.1 almacena el valor de la cookie RabbitMQ Erlang en los hechos de un nodo, lo que permite a usuarios locales obtener información sensible como fue demostrado mediante el uso de Facter. • http://puppetlabs.com/security/cve/cve-2014-9568 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 44EXPL: 0CVE-2014-9649 – RabbitMQ: /api/... XSS vulnerability
https://notcve.org/view.php?id=CVE-2014-9649
Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message. Vulnerabilidad de XSS en el plugin de gestión en RabbitMQ 2.1.0 hasta 3.4.x anterior a 3.4.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la información de rutas en api/, lo que no se maneja correctamente en un mensaje de error. A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using api/ path info to inject and receive data. A remote attacker could use this flaw to create an "/api/..." URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL (not escaped). • http://rhn.redhat.com/errata/RHSA-2016-0308.html http://www.openwall.com/lists/oss-security/2015/01/21/13 http://www.rabbitmq.com/release-notes/README-3.4.1.txt http://www.securityfocus.com/bid/76084 https://groups.google.com/forum/#%21topic/rabbitmq-users/-3Z2FyGtXhs https://access.redhat.com/security/cve/CVE-2014-9649 https://bugzilla.redhat.com/show_bug.cgi?id=1185514 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •