CVE-2019-11281

Description

Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

Related CPE's

apivotal_softwarerabbitmq********

apivotal_softwarerabbitmq*****pivotal_cloud_foundry**

apivotal_softwarerabbitmq*****pivotal_cloud_foundry**

apivotal_softwarerabbitmq*****pivotal_cloud_foundry**

References

https://pivotal.io/security/cve-2019-11281

Vendor Advisory

FEDORA-2019-74d2feb5be

FEDORA-2019-6497f51791

RHSA-2020:0078

[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AttackVector

NETWORK

AttackComplexity

LOW

PrivilegesRequired

HIGH

UserInteraction

REQUIRED

Scope

CHANGED

ConfidentialityImpact

LOW

IntegrityImpact

LOW

AvailabilityImpact

NONE

BaseScore

4.8

BaseSeverity

MEDIUM

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:M/Au:S/C:N/I:P/A:N

AccessVector

NETWORK

AccessComplexity

MEDIUM

Authentication

SINGLE

ConfidentialityImpact

NONE

IntegrityImpact

PARTIAL

AvailabilityImpact

NONE

BaseScore

3.5

Created by Yello
About Severity.io