In RabbitMQ, the 'loopback_users' configuration directive allows to specify a list of users that are only permitted to connect to the broker via localhost. It was found that the RabbitMQ's management plug-in did not sufficiently validate the 'X-Forwarded-For' header when determining the remote address. A remote attacker able to send a specially crafted 'X-Forwarded-For' header to RabbitMQ could use this flaw to connect to the broker as if they were a localhost user. Note that the attacker must know valid user credentials in order to connect to the broker.
Created rabbitmq-server tracking bugs for this issue:
Affects: fedora-all [bug 1174874]
Affects: epel-all [bug 1174875]
Affects: epel-all [bug 1174876]
rabbitmq-server-3.3.5-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.