Bug 2354973 (CVE-2025-30219)
| Summary: | CVE-2025-30219 rabbitmq: RabbitMQ has XSS Vulnerability in an Error Message in Management UI | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | eglynn, jjoyce, jschluet, lhh, lsvaty, mburns, mgarciac, pgrist |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the RabbitMQ package. Affected versions of RabbitMQ are vulnerable to an attack that can modify the virtual host name on the disk and then make it unrecoverable, with other on disk file modifications. This issue can lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, recent versions will display an error message notification in the management UI, including the virtual host name, which was not escaped prior to open source RabbitMQ and Tanzu RabbitMQ. This attack makes a virtual host fail to start and creates a new virtual host name with a XSS code snippet or changes the name of an existing virtual host on disk.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2354995, 2354994 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-03-25 23:01:03 UTC
|