CVE-2016-9877 (retired)

Priority
Description
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12,
and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection
authentication with a username/password pair succeeds if an existing
username is provided but the password is omitted from the connection
request. Connections that use TLS with a client-provided certificate are
not affected.
Package
Upstream:released (3.5.8, 3.6.6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):released (3.2.4-1ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.7-1ubuntu0.16.04.2)
Patches:
Upstream:https://github.com/rabbitmq/rabbitmq-mqtt/commit/039a3c22e57bf77b325d19494a9b20cd745f1ea7 (3.7.0)
Upstream:https://github.com/rabbitmq/rabbitmq-mqtt/commit/157948d86d391a325ac9702f78976c175ced58be (3.5.8)
More Information

Updated: 2019-03-26 12:23:42 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)