Bug 1764329 (CVE-2019-11281) - CVE-2019-11281 rabbitmq-server: improper sanitization of vhost limits and federation management UI pages
Summary: CVE-2019-11281 rabbitmq-server: improper sanitization of vhost limits and fed...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11281
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1767277 1767275 1767276 1767278 1767279 1767280 1767281
Blocks: 1764331
TreeView+ depends on / blocked
 
Reported: 2019-10-22 19:07 UTC by Pedro Sampaio
Modified: 2021-10-25 09:56 UTC (History)
23 users (show)

Fixed In Version: rabbitmq-server 3.7.18
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the rabbitmq-server. User input for the virtual host limits page and the federation management UI was not properly sanitized. A remote, authenticated administrative user could create a cross-site scripting attack leading to access to virtual hosts and policy management information.
Clone Of:
Environment:
Last Closed: 2021-10-25 09:56:02 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2019-10-22 19:07:26 UTC
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

References:

https://pivotal.io/security/cve-2019-11281

Comment 4 Summer Long 2019-10-31 04:26:38 UTC
Created rabbitmq-server tracking bugs for this issue:

Affects: epel-all [bug 1767277]
Affects: fedora-all [bug 1767276]
Affects: openstack-rdo [bug 1767275]

Comment 7 Summer Long 2019-10-31 05:06:40 UTC
Mitigation:

There is no mitigation for this issue, the flaw can only be resolved by applying updates.


Note You need to log in before you can comment on or make changes to this bug.