CVE-2019-11281

16.10.2019, 16:15

Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
pivotal	CNA	2.4 LOW	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 76%

Vendor	Product	Version
pivotal_software	rabbitmq	𝑥 < 3.7.18
pivotal_software	rabbitmq	1.15.0 ≤ 𝑥 < 1.15.13
pivotal_software	rabbitmq	1.16.0 ≤ 𝑥 < 1.16.6
pivotal_software	rabbitmq	1.17.0 ≤ 𝑥 < 1.17.3
debian	debian_linux	9.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rabbitmq-server

bullseye (security)	3.8.9-3+deb11u1 fixed
bullseye	3.8.9-3+deb11u1 fixed
buster	no-dsa
jessie	no-dsa
bookworm	3.10.8-1.1+deb12u1 fixed
bookworm (security)	3.10.8-1.1+deb12u1 fixed
sid	3.10.8-3 fixed
trixie	3.10.8-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

rabbitmq-server

jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	not-affected
eoan	ignored
disco	ignored
bionic	not-affected
xenial	not-affected
trusty	dne

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://access.redhat.com/errata/RHSA-2020:0078

https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/

https://pivotal.io/security/cve-2019-11281

https://access.redhat.com/errata/RHSA-2020:0078

https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/

https://pivotal.io/security/cve-2019-11281