CVE-2019-11291

22.11.2019, 23:15

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
pivotal	CNA	3.1 LOW	NETWORK	HIGH	HIGH	CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 65%

Vendor	Product	Version
broadcom	rabbitmq_server	3.7.0 ≤ 𝑥 < 3.7.20
broadcom	rabbitmq_server	3.8.0
vmware	rabbitmq	1.16.0 ≤ 𝑥 < 1.16.7
vmware	rabbitmq	1.17.0 ≤ 𝑥 < 1.17.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rabbitmq-server

bullseye (security)	3.8.9-3+deb11u1 fixed
bullseye	3.8.9-3+deb11u1 fixed
buster	no-dsa
stretch	not-affected
jessie	postponed
bookworm	3.10.8-1.1+deb12u1 fixed
bookworm (security)	3.10.8-1.1+deb12u1 fixed
sid	3.10.8-3 fixed
trixie	3.10.8-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

rabbitmq-server

groovy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://access.redhat.com/errata/RHSA-2020:0553

https://pivotal.io/security/cve-2019-11291

https://access.redhat.com/errata/RHSA-2020:0553

https://pivotal.io/security/cve-2019-11291