CVE-2017-4966

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
dellCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
broadcomrabbitmq_server
3.4.0
broadcomrabbitmq_server
3.4.1
broadcomrabbitmq_server
3.4.2
broadcomrabbitmq_server
3.4.3
broadcomrabbitmq_server
3.4.4
broadcomrabbitmq_server
3.5.0
broadcomrabbitmq_server
3.5.1
broadcomrabbitmq_server
3.5.2
broadcomrabbitmq_server
3.5.3
broadcomrabbitmq_server
3.5.6
broadcomrabbitmq_server
3.6.7
pivotal_softwarerabbitmq
3.5.4
pivotal_softwarerabbitmq
3.5.5
pivotal_softwarerabbitmq
3.5.7
pivotal_softwarerabbitmq
3.6.0
pivotal_softwarerabbitmq
3.6.1
pivotal_softwarerabbitmq
3.6.2
pivotal_softwarerabbitmq
3.6.3
pivotal_softwarerabbitmq
3.6.4
pivotal_softwarerabbitmq
3.6.5
pivotal_softwarerabbitmq
3.6.6
pivotal_softwarerabbitmq
1.5.0
pivotal_softwarerabbitmq
1.5.1
pivotal_softwarerabbitmq
1.5.2
pivotal_softwarerabbitmq
1.5.3
pivotal_softwarerabbitmq
1.5.4
pivotal_softwarerabbitmq
1.5.5
pivotal_softwarerabbitmq
1.5.6
pivotal_softwarerabbitmq
1.5.7
pivotal_softwarerabbitmq
1.5.8
pivotal_softwarerabbitmq
1.5.9
pivotal_softwarerabbitmq
1.5.10
pivotal_softwarerabbitmq
1.5.11
pivotal_softwarerabbitmq
1.5.12
pivotal_softwarerabbitmq
1.5.13
pivotal_softwarerabbitmq
1.5.14
pivotal_softwarerabbitmq
1.5.15
pivotal_softwarerabbitmq
1.5.17
pivotal_softwarerabbitmq
1.5.18
pivotal_softwarerabbitmq
1.5.19
pivotal_softwarerabbitmq
1.6.0
pivotal_softwarerabbitmq
1.6.1
pivotal_softwarerabbitmq
1.6.2
pivotal_softwarerabbitmq
1.6.3
pivotal_softwarerabbitmq
1.6.4
pivotal_softwarerabbitmq
1.6.5
pivotal_softwarerabbitmq
1.6.6
pivotal_softwarerabbitmq
1.6.7
pivotal_softwarerabbitmq
1.6.8
pivotal_softwarerabbitmq
1.6.9
pivotal_softwarerabbitmq
1.6.10
pivotal_softwarerabbitmq
1.6.12
pivotal_softwarerabbitmq
1.6.13
pivotal_softwarerabbitmq
1.6.14
pivotal_softwarerabbitmq
1.6.15
pivotal_softwarerabbitmq
1.6.16
pivotal_softwarerabbitmq
1.7.0
pivotal_softwarerabbitmq
1.7.2
pivotal_softwarerabbitmq
1.7.3
pivotal_softwarerabbitmq
1.7.4
pivotal_softwarerabbitmq
1.7.5
pivotal_softwarerabbitmq
1.7.6
pivotal_softwarerabbitmq
1.7.7
pivotal_softwarerabbitmq
1.7.8
pivotal_softwarerabbitmq
1.7.9
pivotal_softwarerabbitmq
1.7.10
pivotal_softwarerabbitmq
1.7.13
pivotal_softwarerabbitmq
1.7.14
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rabbitmq-server
bullseye (security)
3.8.9-3+deb11u1
fixed
bullseye
3.8.9-3+deb11u1
fixed
jessie
not-affected
wheezy
not-affected
bookworm
3.10.8-1.1+deb12u1
fixed
bookworm (security)
3.10.8-1.1+deb12u1
fixed
sid
3.10.8-3
fixed
trixie
3.10.8-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rabbitmq-server
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
ignored
yakkety
ignored
xenial
Fixed 3.5.7-1ubuntu0.16.04.4+esm2
released
trusty
dne
precise
not-affected
Common Weakness Enumeration
References
https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html
https://pivotal.io/security/cve-2017-4966
https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html
https://pivotal.io/security/cve-2017-4966