CVE-2016-9877 RabbitMQ authentication vulnerability
Bug #1706900 reported by
Nils Toedtmann
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
RabbitMQ |
Fix Released
|
Unknown
|
|||
rabbitmq-server (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Marc Deslauriers | ||
Xenial |
Fix Released
|
High
|
Marc Deslauriers |
Bug Description
https:/
"MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected."
Affects RabbitMQ "3.x versions prior to 3.5.8"
Ubuntu's Xenial repos are currently offering 3.5.7-1ubuntu0.
CVE References
information type: | Private Security → Public Security |
Changed in rabbitmq: | |
status: | Unknown → Fix Released |
Changed in rabbitmq-server (Ubuntu): | |
status: | Triaged → Fix Released |
Changed in rabbitmq-server (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in rabbitmq-server (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in rabbitmq-server (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in rabbitmq-server (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in rabbitmq-server (Ubuntu Trusty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in rabbitmq-server (Ubuntu Xenial): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
To post a comment you must log in.
Hello and thanks for the bug report! We are aware of this issue and are tracking in the Ubuntu CVE Tracker:
https:/ /people. canonical. com/~ubuntu- security/ cve/2016/ CVE-2016- 9877.html