Vulnerability Name: | CVE-2018-1279 (CCN-154167) | ||||||||||||
Assigned: | 2017-12-06 | ||||||||||||
Published: | 2018-12-05 | ||||||||||||
Updated: | 2019-10-09 | ||||||||||||
Summary: | Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster. | ||||||||||||
CVSS v3 Severity: | 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 3.3 Low (CVSS v2 Vector: AV:A/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||
Vulnerability Type: | CWE-330 | ||||||||||||
Vulnerability Consequences: | Bypass Security | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2018-1279 Source: XF Type: UNKNOWN pivotal-cve20181279-sec-bypass(154167) Source: CCN Type: Pivotal Web site CVE-2018-1279: RabbitMQ cluster compromise due to deterministically generated cookie Source: CONFIRM Type: Mitigation, Vendor Advisory https://pivotal.io/security/cve-2018-1279 | ||||||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||
BACK |