Bug 1783327 (CVE-2019-11291)
Summary: | CVE-2019-11291 rabbitmq-server: not properly sanitized user input may lead to XSS | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | apevec, dbecker, dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, jeckersb, jfrey, jhardy, jjoyce, jlaska, jschluet, kbasil, kdixon, lemenkov, lhh, lpeer, mburns, obarenbo, plemenko, rjones, roliveri, sclewis, simaishi, slinaber, slong, smallamp, s |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rabbitmq-server 3.7.20, rabbitmq-server 3.8.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was discovered in rabbitmq-server where two endpoints, federation and shovel, do not properly sanitize user input. A remote, authenticated user, with administrative access, could execute a cross site scripting attack, using the vhost or node name fields, that could grant access to virtual hosts and policy management information. The largest threat associated with this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-19 20:09:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1783328, 1783329, 1786019, 1786020, 1786021, 1786022, 1786023 | ||
Bug Blocks: | 1783331 |
Description
Marian Rehak
2019-12-13 15:05:00 UTC
Created rabbitmq-server tracking bugs for this issue: Affects: fedora-all [bug 1783329] Affects: openstack-rdo [bug 1783328] External References: https://pivotal.io/security/cve-2019-11291 This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:0553 https://access.redhat.com/errata/RHSA-2020:0553 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11291 |