Bug 1764329 (CVE-2019-11281)
Summary: | CVE-2019-11281 rabbitmq-server: improper sanitization of vhost limits and federation management UI pages | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apevec, dajohnso, dmetzger, gblomqui, gmccullo, gtanzill, jeckersb, jhardy, jjoyce, jlaska, jschluet, kdixon, lemenkov, lhh, lpeer, mburns, plemenko, rjones, roliveri, sclewis, simaishi, slinaber, s |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rabbitmq-server 3.7.18 | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was found in the rabbitmq-server. User input for the virtual host limits page and the federation management UI was not properly sanitized. A remote, authenticated administrative user could create a cross-site scripting attack leading to access to virtual hosts and policy management information.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-25 09:56:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1767277, 1767275, 1767276, 1767278, 1767279, 1767280, 1767281 | ||
Bug Blocks: | 1764331 |
Description
Pedro Sampaio
2019-10-22 19:07:26 UTC
External References: https://pivotal.io/security/cve-2019-11281 https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.7.18 Created rabbitmq-server tracking bugs for this issue: Affects: epel-all [bug 1767277] Affects: fedora-all [bug 1767276] Affects: openstack-rdo [bug 1767275] Pivotal didn't link updates/fixes. However, these commits appear to match the issue: Federation-management (https://www.rabbitmq.com/federation.html) https://github.com/rabbitmq/rabbitmq-federation-management/commit/7cfcb359cb5eed429aaf0b0e42e281a3d57ff19f Shovel: https://github.com/rabbitmq/rabbitmq-shovel-management/commit/08b7e5c71ee4cfd932da250866151f5e882fabb8#diff-6f04a4bd5ee10b78a68a9164f883a6d2 Mitigation: There is no mitigation for this issue, the flaw can only be resolved by applying updates. |