CVE-2019-11291

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
pivotalCNA
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Affected Products (NVD)
VendorProductVersion
broadcomrabbitmq_server
3.7.0 ≤
𝑥
< 3.7.20
broadcomrabbitmq_server
3.8.0
vmwarerabbitmq
1.16.0 ≤
𝑥
< 1.16.7
vmwarerabbitmq
1.17.0 ≤
𝑥
< 1.17.4
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
pivotal_softwarerabbitmq
3.8 ≤
𝑥
< 3.8.1
CNA
pivotal_softwarerabbitmq
3.7 ≤
𝑥
< 3.7.20
CNA
pivotal_softwarerabbitmq
1.17 ≤
𝑥
< 1.17.4
CNA
pivotal_softwarerabbitmq
1.16 ≤
𝑥
< 1.16.7
CNA
Debian logo
Debian Releases
Debian Product
Codename
rabbitmq-server
bookworm
3.10.8-1.1+deb12u1
fixed
bookworm (security)
3.10.8-1.1+deb12u1
fixed
bullseye
3.8.9-3+deb11u1
fixed
bullseye (security)
3.8.9-3+deb11u1
fixed
buster
no-dsa
jessie
postponed
sid
3.10.8-3
fixed
stretch
not-affected
trixie
3.10.8-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rabbitmq-server
bionic
not-affected
focal
not-affected
groovy
not-affected
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2020:0553
https://pivotal.io/security/cve-2019-11291
https://access.redhat.com/errata/RHSA-2020:0553
https://pivotal.io/security/cve-2019-11291