CVE-2019-11291

Description

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Related CPE's

avmwarerabbitmq*****pivotal_cloud_foundry**

avmwarerabbitmq*****pivotal_cloud_foundry**

avmwarerabbitmq********

avmwarerabbitmq3.8.0*******

aredhatopenstack15*******

References

https://pivotal.io/security/cve-2019-11291

Vendor Advisory

RHSA-2020:0553

Third Party Advisory

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

AttackVector

NETWORK

AttackComplexity

LOW

PrivilegesRequired

HIGH

UserInteraction

REQUIRED

Scope

UNCHANGED

ConfidentialityImpact

LOW

IntegrityImpact

LOW

AvailabilityImpact

NONE

BaseScore

3.5

BaseSeverity

LOW

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:M/Au:S/C:N/I:P/A:N

AccessVector

NETWORK

AccessComplexity

MEDIUM

Authentication

SINGLE

ConfidentialityImpact

NONE

IntegrityImpact

PARTIAL

AvailabilityImpact

NONE

BaseScore

3.5

Created by Yello
About Severity.io