Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05cGY3LWY0N3EtbXdwcc4AAiwc
Cross-site Scripting in RabbitMQ
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
Permalink: https://github.com/advisories/GHSA-9pf7-f47q-mwpqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cGY3LWY0N3EtbXdwcc4AAiwc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 3.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-9pf7-f47q-mwpq, CVE-2019-11291
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-11291
- https://access.redhat.com/errata/RHSA-2020:0553
- https://pivotal.io/security/cve-2019-11291
- https://github.com/advisories/GHSA-9pf7-f47q-mwpq
Affected Packages
hex:rabbit_common
Dependent packages: 7Dependent repositories: 279
Downloads: 10,982,380 total
Affected Version Ranges: >= 3.8.0, < 3.8.1, >= 3.7.0, < 3.7.20
Fixed in: 3.8.1, 3.7.20
All affected versions: 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.7.9, 3.7.11, 3.7.12, 3.7.13, 3.7.14, 3.7.15, 3.7.16, 3.7.17, 3.7.18, 3.7.19, 3.8.0
All unaffected versions: 3.0.2, 3.3.5, 3.4.0, 3.5.0, 3.5.6, 3.6.7, 3.6.8, 3.6.9, 3.6.10, 3.6.11, 3.6.12, 3.6.13, 3.6.14, 3.6.15, 3.6.16, 3.7.20, 3.7.21, 3.7.22, 3.7.23, 3.7.24, 3.7.25, 3.7.26, 3.7.27, 3.7.28, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.8.10, 3.8.11, 3.8.14, 3.8.19, 3.8.20, 3.8.21, 3.8.22, 3.8.23, 3.8.24, 3.8.25, 3.8.26, 3.8.30, 3.8.31, 3.8.32, 3.8.33, 3.8.34, 3.8.35, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.9.9, 3.9.10, 3.9.11, 3.9.15, 3.9.16, 3.9.17, 3.9.18, 3.9.19, 3.9.20, 3.9.21, 3.9.22, 3.9.23, 3.9.24, 3.9.25, 3.9.26, 3.9.27, 3.9.28, 3.9.29, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.10.8, 3.10.9, 3.10.10, 3.10.11, 3.10.12, 3.10.13, 3.10.14, 3.10.15, 3.10.16, 3.10.17, 3.10.18, 3.10.19, 3.10.20, 3.10.21, 3.10.22, 3.10.23, 3.10.24, 3.10.25, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.11.8, 3.11.9, 3.11.10, 3.11.11, 3.11.12, 3.11.13, 3.11.14, 3.11.15, 3.11.16, 3.11.17, 3.11.18, 3.11.19, 3.11.20, 3.11.21, 3.11.22, 3.11.23, 3.11.24, 3.11.25, 3.11.26, 3.11.27, 3.11.28, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12, 3.12.13, 3.13.0, 3.13.1