Two endpoints, federation and shovel, do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
Created rabbitmq-server tracking bugs for this issue: Affects: fedora-all [bug 1783329] Affects: openstack-rdo [bug 1783328]
External References: https://pivotal.io/security/cve-2019-11291
This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:0553 https://access.redhat.com/errata/RHSA-2020:0553
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11291
Upstream commits: https://github.com/rabbitmq/rabbitmq-federation-management/commit/7dfd6f98688e54cfbdc0370537df705cfb65177e https://github.com/rabbitmq/rabbitmq-shovel-management/commit/4ed231a13054f9bab228462c82dfa977429436c8