1764329 – (CVE-2019-11281) CVE-2019-11281 rabbitmq-server: improper sanitization of vhost limits and federation management UI pages

Bug 1764329 (CVE-2019-11281) - CVE-2019-11281 rabbitmq-server: improper sanitization of vhost limits and federation management UI pages

Summary: CVE-2019-11281 rabbitmq-server: improper sanitization of vhost limits and fed...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-11281
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1767277 1767275 1767276 1767278 1767279 1767280 1767281
Blocks:	1764331
TreeView+	depends on / blocked

Reported:	2019-10-22 19:07 UTC by Pedro Sampaio
Modified:	2021-10-25 09:56 UTC (History)
CC List:	23 users (show)
Fixed In Version:	rabbitmq-server 3.7.18
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in the rabbitmq-server. User input for the virtual host limits page and the federation management UI was not properly sanitized. A remote, authenticated administrative user could create a cross-site scripting attack leading to access to virtual hosts and policy management information.
Clone Of:
Environment:
Last Closed:	2021-10-25 09:56:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2019-10-22 19:07:26 UTC

Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

References:

https://pivotal.io/security/cve-2019-11281

Comment 3 Summer Long 2019-10-30 05:18:17 UTC

External References:

https://pivotal.io/security/cve-2019-11281
https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.7.18

Comment 4 Summer Long 2019-10-31 04:26:38 UTC

Created rabbitmq-server tracking bugs for this issue:

Affects: epel-all [bug 1767277]
Affects: fedora-all [bug 1767276]
Affects: openstack-rdo [bug 1767275]

Comment 6 Summer Long 2019-10-31 04:30:25 UTC

Pivotal didn't link updates/fixes. However, these commits appear to match the issue:
Federation-management (https://www.rabbitmq.com/federation.html) https://github.com/rabbitmq/rabbitmq-federation-management/commit/7cfcb359cb5eed429aaf0b0e42e281a3d57ff19f
Shovel: https://github.com/rabbitmq/rabbitmq-shovel-management/commit/08b7e5c71ee4cfd932da250866151f5e882fabb8#diff-6f04a4bd5ee10b78a68a9164f883a6d2

Comment 7 Summer Long 2019-10-31 05:06:40 UTC

Mitigation:

There is no mitigation for this issue, the flaw can only be resolved by applying updates.

Note You need to log in before you can comment on or make changes to this bug.

apevec
dajohnso
dmetzger
gblomqui
gmccullo
gtanzill
jeckersb
jhardy
jjoyce
jlaska
jschluet
kdixon
lemenkov
lhh
lpeer
mburns
plemenko
rjones
roliveri
sclewis
simaishi
slinaber
s