CVE-2017-4966

HIGH

Pivotal RabbitMQ <3.6.9 - Info Disclosure

Title source: llm
STIX 2.1

Description

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.

References (2)

Core 2
Core References
Mitigation, Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2017-4966
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html

Scores

CVSS v3 7.8
EPSS 0.0019
EPSS Percentile 40.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200
Status published
Products (50)
broadcom/rabbitmq_server 3.4.0
broadcom/rabbitmq_server 3.4.1
broadcom/rabbitmq_server 3.4.2
broadcom/rabbitmq_server 3.4.3
broadcom/rabbitmq_server 3.4.4
broadcom/rabbitmq_server 3.5.0
broadcom/rabbitmq_server 3.5.1
broadcom/rabbitmq_server 3.5.2
broadcom/rabbitmq_server 3.5.3
broadcom/rabbitmq_server 3.5.6
... and 40 more
Published Jun 13, 2017
Tracked Since Feb 18, 2026