Name | CVE-2019-11291 |
Description | Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 945601 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
rabbitmq-server (PTS) | bullseye (security), bullseye | 3.8.9-3+deb11u1 | fixed |
bookworm, bookworm (security) | 3.10.8-1.1+deb12u1 | fixed | |
sid, trixie | 3.10.8-3 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
rabbitmq-server | source | stretch | (not affected) | |||
rabbitmq-server | source | (unstable) | 3.8.3-1 | 945601 |
[buster] - rabbitmq-server <no-dsa> (Minor issue)
[stretch] - rabbitmq-server <not-affected> (Vulnerable code not present)
[jessie] - rabbitmq-server <postponed> (Minor issue)
https://github.com/rabbitmq/rabbitmq-shovel-management/commit/c22992b289dddadba866ac2b7fc697bc66847e4f
https://github.com/rabbitmq/rabbitmq-federation-management/commit/52bf0ffbb8695060b1ae909266b9b62717e7ba2d
https://pivotal.io/security/cve-2019-11291