Vulnerability Name:

CVE-2014-9494 (CCN-99685)

Assigned:2015-01-06
Published:2015-01-06
Updated:2018-08-13
Summary:RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2014-9494

Source: CCN
Type: oss-security Mailing List, Sat, 3 Jan 2015 19:03:12 -0500 (EST)
Re: CVE request: insufficient 'X-Forwarded-For' header validation in rabbitmq-server

Source: MLIST
Type: UNKNOWN
[oss-security] 20150103 Re: CVE request: insufficient 'X-Forwarded-For' header validation in rabbitmq-server

Source: CCN
Type: IBM Security Bulletin T1022374
IBM Cloud Manager with OpenStack RabbitMQ Vulnerability (CVE-2014-9494)

Source: CCN
Type: RabbitMQ Web site
RabbitMQ

Source: CONFIRM
Type: Vendor Advisory
http://www.rabbitmq.com/release-notes/README-3.4.0.txt

Source: CCN
Type: BID-71859
RabbitMQ 'rabbit_mgmt_util.erl' Security Bypass Vulnerability

Source: CCN
Type: Red Hat Bugzilla – Bug 1174872
(CVE-2014-9494) CVE-2014-9494 rabbitmq-server: insufficient 'X-Forwarded-For' header validation

Source: XF
Type: UNKNOWN
rabbitmq-cve20149494-sec-bypass(99685)

Source: XF
Type: UNKNOWN
rabbitmq-cve20149494-sec-bypass(99685)

Source: CONFIRM
Type: UNKNOWN
https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-9494

Vulnerable Configuration:Configuration 1:
  • cpe:/a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:* (Version <= 3.3.5)

    • Configuration CCN 1:
  • cpe:/a:pivotal_software:rabbitmq:3.3.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cloud_manager:4.2.0:*:*:*:*:openstack:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20149494
    V
    		CVE-2014-9494
    2022-09-02
    oval:org.opensuse.security:def:3475
    P
    		dovecot22-2.2.31-19.17.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95105
    P
    		erlang-rabbitmq-client-3.8.11-3.3.3 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:112197
    P
    		erlang-rabbitmq-client-3.5.4-1.4 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:94203
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:55253
    P
    		Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:105728
    P
    		erlang-rabbitmq-client-3.5.4-1.4 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:55936
    P
    		Security update for fetchmail (Moderate)
    2021-08-18
    oval:org.opensuse.security:def:63326
    P
    		erlang-rabbitmq-client-3.8.11-1.26 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2237
    P
    		erlang-rabbitmq-client-3.8.11-1.26 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:100916
    P
    		libidn2-0-2.2.0-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:66872
    P
    		Security update for libvirt (Moderate)
    2021-07-27
    oval:org.opensuse.security:def:1616
    P
    		Security update for apache2 (Important)
    2021-06-22
    oval:org.opensuse.security:def:70228
    P
    		Security update for avahi (Important)
    2021-06-03
    oval:org.opensuse.security:def:66780
    P
    		Security update for djvulibre (Important)
    2021-05-19
    oval:org.opensuse.security:def:73445
    P
    		Security update for perl-Convert-ASN1 (Moderate)
    2021-01-21
    oval:org.opensuse.security:def:2172
    P
    		erlang-rabbitmq-client-3.8.3-1.27 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:73563
    P
    		Security update for xen (Important)
    2020-12-03
    oval:org.opensuse.security:def:117140
    P
    		erlang-rabbitmq-client-3.8.3-1.27 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:55770
    P
    		Security update for gdm (Important)
    2020-12-03
    oval:org.opensuse.security:def:63261
    P
    		erlang-rabbitmq-client-3.8.3-1.27 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107582
    P
    		erlang-rabbitmq-client-3.8.3-1.27 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:70123
    P
    		libvdpau-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56495
    P
    		Security update for openssl (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55491
    P
    		Security update for tcpdump (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56221
    P
    		Security update for binutils (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55091
    P
    		dhcp on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56533
    P
    		Security update for ImageMagick (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55664
    P
    		Security update for ecryptfs-utils (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50003
    P
    		gtk-vnc-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56329
    P
    		Security update for openvpn (Important)
    2020-12-01
    oval:org.opensuse.security:def:55113
    P
    		gd on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50057
    P
    		erlang-rabbitmq-client on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56614
    P
    		Security update for soundtouch (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56421
    P
    		Security update for libical (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55090
    P
    		dbus-1-glib on GA media (Moderate)
    2020-12-01
    oval:com.ubuntu.precise:def:20149494000
    V
    		CVE-2014-9494 on Ubuntu 12.04 LTS (precise) - low.
    2015-01-20
    oval:com.ubuntu.trusty:def:20149494000
    V
    		CVE-2014-9494 on Ubuntu 14.04 LTS (trusty) - low.
    2015-01-20
    BACK
    pivotal_software rabbitmq *
    pivotal_software rabbitmq 3.3.0
    ibm cloud manager 4.2.0