CVE-2019-11281

EUVD-2019-2969

16.10.2019, 16:15

Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
pivotal	CNA	2.4 LOW	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 76%

Affected Products (NVD)

Vendor	Product	Version
pivotal_software	rabbitmq	𝑥 < 3.7.18
pivotal_software	rabbitmq	1.15.0 ≤ 𝑥 < 1.15.13
pivotal_software	rabbitmq	1.16.0 ≤ 𝑥 < 1.16.6
pivotal_software	rabbitmq	1.17.0 ≤ 𝑥 < 1.17.3
debian	debian_linux	9.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rabbitmq-server

bookworm	3.10.8-1.1+deb12u1 fixed
bookworm (security)	3.10.8-1.1+deb12u1 fixed
bullseye	3.8.9-3+deb11u1 fixed
bullseye (security)	3.8.9-3+deb11u1 fixed
buster	no-dsa
jessie	no-dsa
sid	3.10.8-3 fixed
trixie	3.10.8-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

rabbitmq-server

bionic	not-affected
disco	ignored
eoan	ignored
focal	not-affected
groovy	not-affected
hirsute	not-affected
impish	not-affected
jammy	not-affected
trusty	dne
xenial	not-affected

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://access.redhat.com/errata/RHSA-2020:0078

https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/

https://pivotal.io/security/cve-2019-11281

https://access.redhat.com/errata/RHSA-2020:0078

https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/

https://pivotal.io/security/cve-2019-11281