{"id":"CVE-2016-9877","details":"An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.","modified":"2026-04-10T03:55:31.015317Z","published":"2016-12-29T09:59:00.790Z","related":["openSUSE-SU-2024:11294-1"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/95065"},{"type":"WEB","url":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03880en_us"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2016-9877"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3761"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rabbitmq/rabbitmq-server","events":[{"introduced":"0"},{"last_affected":"100b64db3d02bdce28dd13db3c090d3ff5243c60"},{"introduced":"0"},{"last_affected":"50ea4f716bee4fb9f4417032dd6baf9fe4bfda96"},{"introduced":"0"},{"last_affected":"6c0546e98e8637c9eb0a3f4a74bdb902b58235d4"},{"introduced":"0"},{"last_affected":"dd7fc282e97adda4b71a8b3f3674bcb1e422d307"},{"introduced":"0"},{"last_affected":"553b643067473a87e978b66ad9b6c55a4edeebff"},{"introduced":"0"},{"last_affected":"9832d26368fa6518f837d22b4c0a4754f40d510e"},{"introduced":"0"},{"last_affected":"dc15c81266c919dea3b4e85f344d080f633ee3cc"},{"introduced":"0"},{"last_affected":"db9757b3255865f1df2e51397f16e0429a5a1756"},{"introduced":"0"},{"last_affected":"638ce362f1cfb2eca99fe534f7b7d34a02d3c439"},{"introduced":"0"},{"last_affected":"7ad66d0caf1ea3abf7e7345b4fca04ae64a78770"},{"introduced":"0"},{"last_affected":"8ce31bd7e3cbe510b0af558fbded2fd74d2112e4"},{"introduced":"0"},{"last_affected":"18ffa083c68e95590e1592db115a95bd55ff254b"},{"introduced":"0"},{"last_affected":"6712c606f7b35dddc3ca10901abdd02a750a57f9"},{"introduced":"0"},{"last_affected":"27fdf603ba44760195277bc32bcd475db5eb107b"},{"introduced":"0"},{"last_affected":"871d548c43cb8fb82be04c6fbb17c891d5bef007"},{"introduced":"0"},{"last_affected":"93fa34e483847e238c26f2dbc2f2d4f4fee931ec"},{"introduced":"0"},{"last_affected":"b3d3f23284a7a8b8f00940b087f664318730a3a6"},{"introduced":"0"},{"last_affected":"d26384bc698eaa788dabe68db246ce7752a5315b"},{"introduced":"0"},{"last_affected":"792e739f652296c4db7c3dea8ccff27fe2d1a0d7"},{"introduced":"0"},{"last_affected":"fdade2dc585ecd9347eec5518e318b865574a4df"},{"introduced":"0"},{"last_affected":"0286d688c2facc308d3165c6a1cbf2a68de11b5c"},{"introduced":"0"},{"last_affected":"c8ff546bfea20983ae5e07aa3f05655182295d99"},{"introduced":"0"},{"last_affected":"5aa9a3cec69e052fdf94fdb48cb831d01102a8e3"},{"introduced":"0"},{"last_affected":"e0c614a20c07df4853007a0a680da0391ef59f48"},{"introduced":"0"},{"last_affected":"90ea9de79665755123de9113da302884c207a16b"},{"introduced":"0"},{"last_affected":"d4a164c09e87f323efc1784b6d27ec5c1d39ab63"},{"introduced":"0"},{"last_affected":"d58371273e0d48dd11d2678479d10da8121b8c2f"},{"introduced":"0"},{"last_affected":"578cfc1916a4b6a8202b2f4698e35eb76942f061"},{"introduced":"0"},{"last_affected":"4fdd61b9c68b911b7d8c35bed385fb2167f173fa"},{"introduced":"0"},{"last_affected":"b5cc6a04168cf40241788e1dad0938ff7ae3ffe9"},{"introduced":"0"},{"last_affected":"f04d53ff82e04891ef6121e43a8cd40a60bfed1b"},{"introduced":"0"},{"last_affected":"1ea3cacdc04134cc3cb91652e54a64ba476658b6"},{"introduced":"0"},{"last_affected":"b877b98462adef4aa108033815cc6a7d6e4f2976"},{"introduced":"0"},{"last_affected":"3136aa25752542dfdbc7af3f77d8a66eb8d5d844"},{"introduced":"0"},{"last_affected":"61a5fd3950a5b34f596c48214c9299c7f4d4d582"},{"introduced":"0"},{"last_affected":"3d478460a3d9a94160e89ee82b85eb15ec5102a1"},{"introduced":"0"},{"last_affected":"9c33c701fa496826b53a7a387da3b5e4beaa6e87"},{"introduced":"0"},{"last_affected":"02146c99661fa0ff066387ec1b4648361cdda28e"},{"introduced":"0"},{"last_affected":"b6a3aa477156036c129d04a82c90ad916bc3865e"},{"introduced":"0"},{"last_affected":"40fc150ff49a95e771166da9cf14050d5bc95729"},{"introduced":"0"},{"last_affected":"ea4e59ee3018bd2824b003ac8f9db3e59c9d3413"},{"introduced":"0"},{"last_affected":"c00f44b52027b358996192e05fa507cc4bf404b7"},{"introduced":"0"},{"last_affected":"90103f770d38fac6282c49890be7d96e394f8ec7"},{"introduced":"0"},{"last_affected":"5acfba7103efd4dc8e48e39c740f3ab1969bbfad"},{"introduced":"0"},{"last_affected":"cee628003601efa6ffd67088c78c8c58ccc97f4c"},{"introduced":"0"},{"last_affected":"10d1421c0d985f96facc33182631852c8454544d"},{"introduced":"0"},{"last_affected":"c5068a8d77491ae96fa8b25436548ebcc0a9db08"},{"introduced":"0"},{"last_affected":"1db54c1fa3ed00f756c9779d778b64db139108fd"},{"introduced":"0"},{"last_affected":"ca4368bc0a353afbf0a8cfd602003960381556d3"},{"introduced":"0"},{"last_affected":"758c952bf09cb933955a97c90271bfa80ea7c366"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.0.0"},{"introduced":"0"},{"last_affected":"3.0.1"},{"introduced":"0"},{"last_affected":"3.0.2"},{"introduced":"0"},{"last_affected":"3.0.3"},{"introduced":"0"},{"last_affected":"3.0.4"},{"introduced":"0"},{"last_affected":"3.1.0"},{"introduced":"0"},{"last_affected":"3.1.1"},{"introduced":"0"},{"last_affected":"3.1.2"},{"introduced":"0"},{"last_affected":"3.1.3"},{"introduced":"0"},{"last_affected":"3.1.4"},{"introduced":"0"},{"last_affected":"3.1.5"},{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"3.2.1"},{"introduced":"0"},{"last_affected":"3.2.2"},{"introduced":"0"},{"last_affected":"3.2.3"},{"introduced":"0"},{"last_affected":"3.2.4"},{"introduced":"0"},{"last_affected":"3.3.0"},{"introduced":"0"},{"last_affected":"3.3.1"},{"introduced":"0"},{"last_affected":"3.3.2"},{"introduced":"0"},{"last_affected":"3.3.3"},{"introduced":"0"},{"last_affected":"3.3.4"},{"introduced":"0"},{"last_affected":"3.3.5"},{"introduced":"0"},{"last_affected":"3.4.0"},{"introduced":"0"},{"last_affected":"3.4.1"},{"introduced":"0"},{"last_affected":"3.4.2"},{"introduced":"0"},{"last_affected":"3.4.3"},{"introduced":"0"},{"last_affected":"3.4.4"},{"introduced":"0"},{"last_affected":"3.5.0"},{"introduced":"0"},{"last_affected":"3.5.1"},{"introduced":"0"},{"last_affected":"3.5.2"},{"introduced":"0"},{"last_affected":"3.5.3"},{"introduced":"0"},{"last_affected":"3.5.6"},{"introduced":"0"},{"last_affected":"3.5.4"},{"introduced":"0"},{"last_affected":"3.5.5"},{"introduced":"0"},{"last_affected":"3.5.7"},{"introduced":"0"},{"last_affected":"3.6.0"},{"introduced":"0"},{"last_affected":"3.6.1"},{"introduced":"0"},{"last_affected":"3.6.2"},{"introduced":"0"},{"last_affected":"3.6.3"},{"introduced":"0"},{"last_affected":"3.6.4"},{"introduced":"0"},{"last_affected":"3.6.5"},{"introduced":"0"},{"last_affected":"1.5.0"},{"introduced":"0"},{"last_affected":"1.5.1"},{"introduced":"0"},{"last_affected":"1.5.2"},{"introduced":"0"},{"last_affected":"1.5.3"},{"introduced":"0"},{"last_affected":"1.5.4"},{"introduced":"0"},{"last_affected":"1.5.5"},{"introduced":"0"},{"last_affected":"1.6.0"},{"introduced":"0"},{"last_affected":"1.7.0"},{"introduced":"0"},{"last_affected":"1.7.2"}]}}],"versions":["rabbitmq_v1_4_0","rabbitmq_v1_5_0","rabbitmq_v1_5_1","rabbitmq_v1_5_2","rabbitmq_v1_5_3","rabbitmq_v1_5_4","rabbitmq_v1_5_5","rabbitmq_v1_6_0","rabbitmq_v1_7_0","rabbitmq_v1_7_2","rabbitmq_v1_8_1","rabbitmq_v2_4_0","rabbitmq_v2_7_1","rabbitmq_v2_8_0","rabbitmq_v3_0_0","rabbitmq_v3_0_1","rabbitmq_v3_0_2","rabbitmq_v3_0_3","rabbitmq_v3_0_4","rabbitmq_v3_1_0","rabbitmq_v3_1_1","rabbitmq_v3_1_2","rabbitmq_v3_1_3","rabbitmq_v3_1_4","rabbitmq_v3_1_5","rabbitmq_v3_2_0","rabbitmq_v3_2_1","rabbitmq_v3_2_2","rabbitmq_v3_2_3","rabbitmq_v3_2_4","rabbitmq_v3_3_0","rabbitmq_v3_3_1","rabbitmq_v3_3_2","rabbitmq_v3_3_3","rabbitmq_v3_3_4","rabbitmq_v3_3_5","rabbitmq_v3_4_0","rabbitmq_v3_4_1","rabbitmq_v3_4_2","rabbitmq_v3_4_3","rabbitmq_v3_4_4","rabbitmq_v3_5_0","rabbitmq_v3_5_1","rabbitmq_v3_5_2","rabbitmq_v3_5_3","rabbitmq_v3_5_4","rabbitmq_v3_5_4_rc1","rabbitmq_v3_5_4_rc2","rabbitmq_v3_5_5","rabbitmq_v3_5_5_rc1","rabbitmq_v3_5_5_rc2","rabbitmq_v3_5_6","rabbitmq_v3_5_7","rabbitmq_v3_5_7_rc1","rabbitmq_v3_5_7_rc2","rabbitmq_v3_6_0","rabbitmq_v3_6_0_milestone1","rabbitmq_v3_6_0_milestone2","rabbitmq_v3_6_0_milestone3","rabbitmq_v3_6_0_rc1","rabbitmq_v3_6_0_rc2","rabbitmq_v3_6_0_rc3","rabbitmq_v3_6_1","rabbitmq_v3_6_1_rc1","rabbitmq_v3_6_1_rc2","rabbitmq_v3_6_2","rabbitmq_v3_6_2_milestone1","rabbitmq_v3_6_2_milestone2","rabbitmq_v3_6_2_milestone3","rabbitmq_v3_6_2_milestone4","rabbitmq_v3_6_2_milestone5","rabbitmq_v3_6_2_rc1","rabbitmq_v3_6_2_rc2","rabbitmq_v3_6_2_rc3","rabbitmq_v3_6_2_rc4","rabbitmq_v3_6_3","rabbitmq_v3_6_3_milestone1","rabbitmq_v3_6_3_milestone2","rabbitmq_v3_6_3_rc1","rabbitmq_v3_6_3_rc2","rabbitmq_v3_6_3_rc3","rabbitmq_v3_6_4","rabbitmq_v3_6_4_milestone1","rabbitmq_v3_6_4_milestone2","rabbitmq_v3_6_4_rc1","rabbitmq_v3_6_5","rabbitmq_v3_6_5_milestone1","rabbitmq_v3_6_5_milestone2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.5.6"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.7"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.8"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.9"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.10"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.11"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.12"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.13"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.14"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.15"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.17"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.18"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.2"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.3"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.5"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.6"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.7"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.8"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.9"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.10"}]},{"events":[{"introduced":"0"},{"last_affected":"1.7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"1.7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"1.7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"1.7.6"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9877.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}