Description

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Related CPE's

a

broadcom

rabbitmq_server

2

a

vmware

rabbitmq

2

a

redhat

openstack

15

Vulnerable

References

https://access.redhat.com/errata/RHSA-2020:0553

Third Party Advisory

https://pivotal.io/security/cve-2019-11291

Vendor Advisory

https://access.redhat.com/errata/RHSA-2020:0553

Third Party Advisory

https://pivotal.io/security/cve-2019-11291

Vendor Advisory

Weaknesses

[email protected]

Secondary
CWE-79

[email protected]

Primary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

4.8 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2019-11-22T22:15:11.270Z

6 years ago

Last modified

2025-04-02T12:13:43.180Z

12 months ago