CVE-2019-11291

NameCVE-2019-11291
DescriptionPivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs945601

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rabbitmq-server (PTS)buster3.7.8-4vulnerable
bullseye3.8.9-3fixed
bookworm, sid3.10.8-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rabbitmq-serversourcestretch(not affected)
rabbitmq-serversource(unstable)3.8.3-1945601

Notes

[buster] - rabbitmq-server <no-dsa> (Minor issue)
[stretch] - rabbitmq-server <not-affected> (Vulnerable code not present)
[jessie] - rabbitmq-server <postponed> (Minor issue)
https://github.com/rabbitmq/rabbitmq-shovel-management/commit/c22992b289dddadba866ac2b7fc697bc66847e4f
https://github.com/rabbitmq/rabbitmq-federation-management/commit/52bf0ffbb8695060b1ae909266b9b62717e7ba2d
https://pivotal.io/security/cve-2019-11291
Search for package or bug name: Reporting problems