Search criteria
10 vulnerabilities found for RabbitMQ by Pivotal
VAR-201706-0534
Vulnerability from variot - Updated: 2025-04-20 22:29An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack. Pivotal RabbitMQ Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Pivotal RabbitMQ Products are prone to local information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. ========================================================================== Ubuntu Security Notice USN-6265-1 July 31, 2023
rabbitmq-server vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
RabbitMQ could be made to expose sensitive information.
Software Description: - rabbitmq-server: AMQP server written in Erlang
Details:
It was discovered that RabbitMQ incorrectly handled certain signed-in user credentials.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04 LTS (Available with Ubuntu Pro): rabbitmq-server 3.5.7-1ubuntu0.16.04.4+esm2
In general, a standard system update will make all the necessary changes.
References: https://ubuntu.com/security/notices/USN-6265-1 CVE-2017-4966
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201706-0534",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.7.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.7.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.7.13"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.7.10"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.10"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.6.16"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.7.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.7.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.3,
"vendor": "pivotal",
"version": "3.6.6"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.0"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.3"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.6"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.13"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.12"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.6.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.19"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.0"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.14"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.5.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.14"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.5.7"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.11"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.15"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.5.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.17"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.10"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.15"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.14"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.18"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.12"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.5"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.4"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.13"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.1"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "1.7.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.4.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pcf 1.6.18"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pcf 1.5.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.5.x"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.6.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pcf 1.7.15"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "1.6.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.6.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.6,
"vendor": "pivotal",
"version": "3.4.1"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.7"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.12"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.4"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.3"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.2"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.1"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.5.20"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.5.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.4"
},
{
"model": "rabbitmq for pcf",
"scope": "ne",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.7.15"
},
{
"model": "rabbitmq for pcf",
"scope": "ne",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.18"
},
{
"model": "rabbitmq",
"scope": "ne",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.6.9"
}
],
"sources": [
{
"db": "BID",
"id": "98405"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1249"
},
{
"db": "NVD",
"id": "CVE-2017-4966"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:pivotal_software:rabbitmq",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "GE Digital Security Team.",
"sources": [
{
"db": "BID",
"id": "98405"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1249"
}
],
"trust": 0.9
},
"cve": "CVE-2017-4966",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2017-4966",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.9,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2017-4966",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-4966",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-4966",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2017-4966",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201705-1249",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2017-4966",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4966"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1249"
},
{
"db": "NVD",
"id": "CVE-2017-4966"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser\u0027s local storage without expiration, making it possible to retrieve them using a chained attack. Pivotal RabbitMQ Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Pivotal RabbitMQ Products are prone to local information-disclosure vulnerability. \nAn attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. ==========================================================================\nUbuntu Security Notice USN-6265-1\nJuly 31, 2023\n\nrabbitmq-server vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 16.04 LTS (Available with Ubuntu Pro)\n\nSummary:\n\nRabbitMQ could be made to expose sensitive information. \n\nSoftware Description:\n- rabbitmq-server: AMQP server written in Erlang\n\nDetails:\n\nIt was discovered that RabbitMQ incorrectly handled certain signed-in user\ncredentials. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 16.04 LTS (Available with Ubuntu Pro):\n rabbitmq-server 3.5.7-1ubuntu0.16.04.4+esm2\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n https://ubuntu.com/security/notices/USN-6265-1\n CVE-2017-4966\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-4966"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"db": "BID",
"id": "98405"
},
{
"db": "VULMON",
"id": "CVE-2017-4966"
},
{
"db": "PACKETSTORM",
"id": "173857"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-4966",
"trust": 2.9
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004862",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2021.2432",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1249",
"trust": 0.6
},
{
"db": "BID",
"id": "98405",
"trust": 0.4
},
{
"db": "VULMON",
"id": "CVE-2017-4966",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "173857",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4966"
},
{
"db": "BID",
"id": "98405"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"db": "PACKETSTORM",
"id": "173857"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1249"
},
{
"db": "NVD",
"id": "CVE-2017-4966"
}
]
},
"id": "VAR-201706-0534",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.625
},
"last_update_date": "2025-04-20T22:29:14.391000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2017-4966: RabbitMQ local storage of credentials",
"trust": 0.8,
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"title": "Pivotal RabbitMQ and RabbitMQ for PCF Repair measures for information disclosure vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70584"
},
{
"title": "Red Hat: CVE-2017-4966",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2017-4966"
},
{
"title": "Debian CVElist Bug Report Logs: CVE-2017-4965 CVE-2017-4966 CVE-2017-4967",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=6b6ae5ada791d0845be3b03f58e84470"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2017-4966"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=a31bff03e9909229fd67996884614fdf"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4966"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1249"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.0
},
{
"problemtype": "CWE-255",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"db": "NVD",
"id": "CVE-2017-4966"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "https://pivotal.io/security/cve-2017-4966"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-4966"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-4966"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2432"
},
{
"trust": 0.3,
"url": "http://pivotal.io/"
},
{
"trust": 0.3,
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_9"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.1,
"url": "https://www.securityfocus.com/bid/98405"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-4966"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-6265-1"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4966"
},
{
"db": "BID",
"id": "98405"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"db": "PACKETSTORM",
"id": "173857"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1249"
},
{
"db": "NVD",
"id": "CVE-2017-4966"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2017-4966"
},
{
"db": "BID",
"id": "98405"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"db": "PACKETSTORM",
"id": "173857"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1249"
},
{
"db": "NVD",
"id": "CVE-2017-4966"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-06-13T00:00:00",
"db": "VULMON",
"id": "CVE-2017-4966"
},
{
"date": "2017-05-04T00:00:00",
"db": "BID",
"id": "98405"
},
{
"date": "2017-07-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"date": "2023-08-01T16:34:49",
"db": "PACKETSTORM",
"id": "173857"
},
{
"date": "2017-05-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201705-1249"
},
{
"date": "2017-06-13T06:29:00.503000",
"db": "NVD",
"id": "CVE-2017-4966"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-19T00:00:00",
"db": "VULMON",
"id": "CVE-2017-4966"
},
{
"date": "2017-05-23T16:25:00",
"db": "BID",
"id": "98405"
},
{
"date": "2017-07-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-004862"
},
{
"date": "2022-03-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201705-1249"
},
{
"date": "2025-04-20T01:37:25.860000",
"db": "NVD",
"id": "CVE-2017-4966"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "98405"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1249"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pivotal RabbitMQ Vulnerabilities related to certificate and password management",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-004862"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201705-1249"
}
],
"trust": 0.6
}
}
VAR-201706-0526
Vulnerability from variot - Updated: 2025-04-20 22:24An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Pivotal RabbitMQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201706-0526",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.19"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.7.10"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.3,
"vendor": "pivotal",
"version": "3.6.6"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.0"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.3"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.6"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.13"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.12"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.6.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.9"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.0"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.14"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.5.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.14"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.5.7"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.10"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.11"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.15"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.5.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.17"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.10"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.15"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.14"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.13"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.18"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.12"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.5"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.4"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.13"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.16"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "1.7.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.4.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pcf 1.6.18"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pcf 1.5.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.5.x"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.6.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pcf 1.7.15"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "1.6.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.6.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.6.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.5.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.0"
},
{
"model": "rabbitmq",
"scope": "ne",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.6.9"
}
],
"sources": [
{
"db": "BID",
"id": "98406"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1247"
},
{
"db": "NVD",
"id": "CVE-2017-4967"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:pivotal_software:rabbitmq",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The vendor reported this issue.",
"sources": [
{
"db": "BID",
"id": "98406"
}
],
"trust": 0.3
},
"cve": "CVE-2017-4967",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2017-4967",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2017-4967",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2017-4967",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-4967",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2017-4967",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201705-1247",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2017-4967",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4967"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1247"
},
{
"db": "NVD",
"id": "CVE-2017-4967"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Pivotal RabbitMQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. \nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-4967"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"db": "BID",
"id": "98406"
},
{
"db": "VULMON",
"id": "CVE-2017-4967"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-4967",
"trust": 2.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004863",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2021.2432",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1247",
"trust": 0.6
},
{
"db": "BID",
"id": "98406",
"trust": 0.4
},
{
"db": "VULMON",
"id": "CVE-2017-4967",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4967"
},
{
"db": "BID",
"id": "98406"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1247"
},
{
"db": "NVD",
"id": "CVE-2017-4967"
}
]
},
"id": "VAR-201706-0526",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.625
},
"last_update_date": "2025-04-20T22:24:06.087000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2017-4965 and CVE-2017-4967: XSS vulnerabilities in RabbitMQ management UI",
"trust": 0.8,
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"title": "Pivotal RabbitMQ Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70582"
},
{
"title": "Debian CVElist Bug Report Logs: CVE-2017-4965 CVE-2017-4966 CVE-2017-4967",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=6b6ae5ada791d0845be3b03f58e84470"
},
{
"title": "Red Hat: CVE-2017-4967",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2017-4967"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2017-4967"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=a31bff03e9909229fd67996884614fdf"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4967"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1247"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"db": "NVD",
"id": "CVE-2017-4967"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-4967"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-4967"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2432"
},
{
"trust": 0.3,
"url": "http://pivotal.io/"
},
{
"trust": 0.3,
"url": "https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_9"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://www.securityfocus.com/bid/98406"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863586"
},
{
"trust": 0.1,
"url": "https://security.archlinux.org/cve-2017-4967"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4967"
},
{
"db": "BID",
"id": "98406"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1247"
},
{
"db": "NVD",
"id": "CVE-2017-4967"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2017-4967"
},
{
"db": "BID",
"id": "98406"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1247"
},
{
"db": "NVD",
"id": "CVE-2017-4967"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-06-13T00:00:00",
"db": "VULMON",
"id": "CVE-2017-4967"
},
{
"date": "2017-05-11T00:00:00",
"db": "BID",
"id": "98406"
},
{
"date": "2017-07-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"date": "2017-05-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201705-1247"
},
{
"date": "2017-06-13T06:29:00.520000",
"db": "NVD",
"id": "CVE-2017-4967"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-19T00:00:00",
"db": "VULMON",
"id": "CVE-2017-4967"
},
{
"date": "2017-05-23T16:25:00",
"db": "BID",
"id": "98406"
},
{
"date": "2017-07-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-004863"
},
{
"date": "2022-03-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201705-1247"
},
{
"date": "2025-04-20T01:37:25.860000",
"db": "NVD",
"id": "CVE-2017-4967"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201705-1247"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pivotal RabbitMQ Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-004863"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201705-1247"
}
],
"trust": 0.6
}
}
VAR-201706-0533
Vulnerability from variot - Updated: 2025-04-20 20:10An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Pivotal RabbitMQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Pivotal RabbitMQ products are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201706-0533",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.9,
"vendor": "pivotal",
"version": "3.6.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.19"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.6.15"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.6,
"vendor": "pivotal",
"version": "1.5.3"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.0"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.3"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.6"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.13"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.12"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.6.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.9"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.0"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.14"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.5.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.10"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.14"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.5.7"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.10"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.11"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.5.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.17"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.4"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.10"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.15"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.14"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.13"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.18"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.5.12"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.5"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.5.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.4"
},
{
"model": "rabbitmq server",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.4.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.13"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.8"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.0"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.7.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.6.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.6.16"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "1.7.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.4.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pcf 1.6.18"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pcf 1.5.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.5.x"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.6.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pcf 1.7.15"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "1.6.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.6.9"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.6,
"vendor": "pivotal",
"version": "3.4.3"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.6,
"vendor": "pivotal",
"version": "3.6.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.6,
"vendor": "pivotal",
"version": "3.4.1"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.6,
"vendor": "pivotal",
"version": "3.4.2"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.6,
"vendor": "pivotal",
"version": "3.4.0"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.7.7"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.7"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.12"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.4"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.3"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.2"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.1"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.5.20"
},
{
"model": "rabbitmq for pcf",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.6"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.5"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.4"
},
{
"model": "rabbitmq for pcf",
"scope": "ne",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.7.15"
},
{
"model": "rabbitmq for pcf",
"scope": "ne",
"trust": 0.3,
"vendor": "pivotal",
"version": "1.6.18"
},
{
"model": "rabbitmq",
"scope": "ne",
"trust": 0.3,
"vendor": "pivotal",
"version": "3.6.9"
}
],
"sources": [
{
"db": "BID",
"id": "98394"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1213"
},
{
"db": "NVD",
"id": "CVE-2017-4965"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:pivotal_software:rabbitmq",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "GE Digital Security Team and by Brandon Williams from Early Warning.",
"sources": [
{
"db": "BID",
"id": "98394"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1213"
}
],
"trust": 0.9
},
"cve": "CVE-2017-4965",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2017-4965",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2017-4965",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2017-4965",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-4965",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2017-4965",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201705-1213",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2017-4965",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4965"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1213"
},
{
"db": "NVD",
"id": "CVE-2017-4965"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Pivotal RabbitMQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Pivotal RabbitMQ products are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. \nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-4965"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"db": "BID",
"id": "98394"
},
{
"db": "VULMON",
"id": "CVE-2017-4965"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-4965",
"trust": 2.8
},
{
"db": "BID",
"id": "98394",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004861",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2021.2432",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1213",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2017-4965",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4965"
},
{
"db": "BID",
"id": "98394"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1213"
},
{
"db": "NVD",
"id": "CVE-2017-4965"
}
]
},
"id": "VAR-201706-0533",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.625
},
"last_update_date": "2025-04-20T20:10:58.079000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2017-4965 and CVE-2017-4967: XSS vulnerabilities in RabbitMQ management UI",
"trust": 0.8,
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"title": "Pivotal RabbitMQ and Pivotal RabbitMQ for PCF Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70557"
},
{
"title": "Debian CVElist Bug Report Logs: CVE-2017-4965 CVE-2017-4966 CVE-2017-4967",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=6b6ae5ada791d0845be3b03f58e84470"
},
{
"title": "Red Hat: CVE-2017-4965",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2017-4965"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2017-4965"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=a31bff03e9909229fd67996884614fdf"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4965"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1213"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"db": "NVD",
"id": "CVE-2017-4965"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "https://pivotal.io/security/cve-2017-4965"
},
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/98394"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-4965"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-4965"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2432"
},
{
"trust": 0.3,
"url": "http://pivotal.io/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863586"
},
{
"trust": 0.1,
"url": "https://security.archlinux.org/cve-2017-4965"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-4965"
},
{
"db": "BID",
"id": "98394"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1213"
},
{
"db": "NVD",
"id": "CVE-2017-4965"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2017-4965"
},
{
"db": "BID",
"id": "98394"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"db": "CNNVD",
"id": "CNNVD-201705-1213"
},
{
"db": "NVD",
"id": "CVE-2017-4965"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-06-13T00:00:00",
"db": "VULMON",
"id": "CVE-2017-4965"
},
{
"date": "2017-05-11T00:00:00",
"db": "BID",
"id": "98394"
},
{
"date": "2017-07-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"date": "2017-05-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201705-1213"
},
{
"date": "2017-06-13T06:29:00.457000",
"db": "NVD",
"id": "CVE-2017-4965"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-19T00:00:00",
"db": "VULMON",
"id": "CVE-2017-4965"
},
{
"date": "2017-05-23T16:24:00",
"db": "BID",
"id": "98394"
},
{
"date": "2017-07-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-004861"
},
{
"date": "2022-03-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201705-1213"
},
{
"date": "2025-04-20T01:37:25.860000",
"db": "NVD",
"id": "CVE-2017-4965"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201705-1213"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pivotal RabbitMQ Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-004861"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201705-1213"
}
],
"trust": 0.6
}
}
VAR-201911-1657
Vulnerability from variot - Updated: 2025-04-02 19:57Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. Pivotal RabbitMQ and RabbitMQ for Pivotal Platform Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. ========================================================================== Ubuntu Security Notice USN-5004-1 June 24, 2021
rabbitmq-server vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in rabbitmq-server.
Software Description: - rabbitmq-server: AMQP server written in Erlang
Details:
It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. (CVE-2019-11287)
Jonathan Knudsen discovered RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. (CVE-2021-22116)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04: rabbitmq-server 3.8.9-2ubuntu0.1
Ubuntu 20.10: rabbitmq-server 3.8.5-1ubuntu0.2
Ubuntu 20.04 LTS: rabbitmq-server 3.8.2-0ubuntu1.3
Ubuntu 18.04 LTS: rabbitmq-server 3.6.10-1ubuntu0.5
Ubuntu 16.04 ESM: rabbitmq-server 3.5.7-1ubuntu0.16.04.4+esm1
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: rabbitmq-server security update Advisory ID: RHSA-2020:0078-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0078 Issue date: 2020-01-13 CVE Names: CVE-2019-11287 =====================================================================
- Summary:
An update for rabbitmq-server is now available for Red Hat OpenStack Platform 15 (Stein).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat OpenStack Platform 15.0 - ppc64le, x86_64
- Description:
RabbitMQ is an implementation of AMQP, the emerging standard for high performance enterprise messaging. The RabbitMQ server is a robust and scalable implementation of an AMQP broker.
Security Fix(es):
- "X-Reason" HTTP Header can be leveraged to insert a malicious string leading to DoS (CVE-2019-11287)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat OpenStack Platform 15.0:
Source: rabbitmq-server-3.7.22-1.el8ost.src.rpm
ppc64le: rabbitmq-server-3.7.22-1.el8ost.ppc64le.rpm
x86_64: rabbitmq-server-3.7.22-1.el8ost.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2019-11287 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXhxCd9zjgjWX9erEAQhcJhAAkFi7Cpsx7AQav3E+LgCF0GblFmJWFP3L qg5F2/2FFdd1fFfHN3FvT9km571u1Hm9oPjKe4g2SgkrOmsP+mEsqD6nXHg1vHGw yOZ4GSGO0bde/Zj5USrmxFIwZcmbl5MzIrCqtx9fNPQPZzI4Hk8qmpINvc6wBZFs aZafHly3mPvxP28rAnEtkjUCEzRuXnovQDrCW8sfNCT1Vhayg+A0cS2iM8rHak25 SNlac9rq3dVkw1wWdgeVmNwu1bCcKopXLYrwVC70esX9fZxnCtPB0iTjy3g4qvxV xfcdsLLQOAYQZdBDtn1M+1GjjG7NLqcP6jD8ySBM+uNwyNiH20LpXmMO9ShysM31 BrYG+aNJyb8AmrMtNF/MijJqv1SYakhHANK0OsdkgGokZWss7yhe7qOpZVU83z41 owwpUrSsBO2xRb85nzo7AcoI0na/f965KyQjt7P1stMiTaXd84VucWlNcEH+I4ox 0zbC4AWgKTbvnMNA2WDSPpx2fkcBS3PdjBi/1MqGES6srz+4oH8MunlqojqKjK9j /YkttwQD78cswQPm1LBaZNaFpqtFnFnAjN18E+phb2Y01hTCvwqVj05fp+eDNQM+ N20HEjc8EDWAmyOGqripUnQ+rRBuPSfkU686szcZwrHFqrz/sh8h0qFRca/Za+4v qUGcuX2aS7Q= =/zG9 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201911-1657",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "rabbitmq",
"scope": "lt",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.16.7"
},
{
"model": "rabbitmq",
"scope": "gte",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.17.0"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.17.4"
},
{
"model": "rabbitmq server",
"scope": "lt",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.8.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "rabbitmq server",
"scope": "gte",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.8.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "30"
},
{
"model": "openstack",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "15"
},
{
"model": "rabbitmq",
"scope": "gte",
"trust": 1.0,
"vendor": "pivotal",
"version": "1.16.0"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.7.21"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "31"
},
{
"model": "rabbitmq",
"scope": "gte",
"trust": 1.0,
"vendor": "pivotal",
"version": "3.7.0"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.8.1"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "1.17.x"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "1.16.x"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.7.21"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pivotal platform 1.16.7"
},
{
"model": "rabbitmq",
"scope": "eq",
"trust": 0.8,
"vendor": "pivotal",
"version": "for pivotal platform 1.17.4"
},
{
"model": "rabbitmq",
"scope": "lt",
"trust": 0.8,
"vendor": "pivotal",
"version": "3.8"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"db": "NVD",
"id": "CVE-2019-11287"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:pivotal_software:rabbitmq",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "155914"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1307"
}
],
"trust": 0.7
},
"cve": "CVE-2019-11287",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2019-11287",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2019-11287",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "security@pivotal.io",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 0.9,
"id": "CVE-2019-11287",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2019-11287",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-11287",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "security@pivotal.io",
"id": "CVE-2019-11287",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-11287",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201911-1307",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1307"
},
{
"db": "NVD",
"id": "CVE-2019-11287"
},
{
"db": "NVD",
"id": "CVE-2019-11287"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. Pivotal RabbitMQ and RabbitMQ for Pivotal Platform Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. ==========================================================================\nUbuntu Security Notice USN-5004-1\nJune 24, 2021\n\nrabbitmq-server vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 21.04\n- Ubuntu 20.10\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in rabbitmq-server. \n\nSoftware Description:\n- rabbitmq-server: AMQP server written in Erlang\n\nDetails:\n\nIt was discovered that RabbitMQ incorrectly handled certain inputs. \nAn attacker could possibly use this issue to cause a denial of service. This\nissue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. (CVE-2019-11287)\n\nJonathan Knudsen discovered RabbitMQ incorrectly handled certain inputs. \nAn attacker could possibly use this issue to cause a denial of service. \n(CVE-2021-22116)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 21.04:\n rabbitmq-server 3.8.9-2ubuntu0.1\n\nUbuntu 20.10:\n rabbitmq-server 3.8.5-1ubuntu0.2\n\nUbuntu 20.04 LTS:\n rabbitmq-server 3.8.2-0ubuntu1.3\n\nUbuntu 18.04 LTS:\n rabbitmq-server 3.6.10-1ubuntu0.5\n\nUbuntu 16.04 ESM:\n rabbitmq-server 3.5.7-1ubuntu0.16.04.4+esm1\n\nIn general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: rabbitmq-server security update\nAdvisory ID: RHSA-2020:0078-01\nProduct: Red Hat Enterprise Linux OpenStack Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:0078\nIssue date: 2020-01-13\nCVE Names: CVE-2019-11287 \n=====================================================================\n\n1. Summary:\n\nAn update for rabbitmq-server is now available for Red Hat OpenStack\nPlatform 15 (Stein). \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat OpenStack Platform 15.0 - ppc64le, x86_64\n\n3. Description:\n\nRabbitMQ is an implementation of AMQP, the emerging standard for high\nperformance enterprise messaging. The RabbitMQ server is a robust and\nscalable implementation of an AMQP broker. \n\nSecurity Fix(es):\n\n* \"X-Reason\" HTTP Header can be leveraged to insert a malicious string\nleading to DoS (CVE-2019-11287)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat OpenStack Platform 15.0:\n\nSource:\nrabbitmq-server-3.7.22-1.el8ost.src.rpm\n\nppc64le:\nrabbitmq-server-3.7.22-1.el8ost.ppc64le.rpm\n\nx86_64:\nrabbitmq-server-3.7.22-1.el8ost.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2019-11287\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXhxCd9zjgjWX9erEAQhcJhAAkFi7Cpsx7AQav3E+LgCF0GblFmJWFP3L\nqg5F2/2FFdd1fFfHN3FvT9km571u1Hm9oPjKe4g2SgkrOmsP+mEsqD6nXHg1vHGw\nyOZ4GSGO0bde/Zj5USrmxFIwZcmbl5MzIrCqtx9fNPQPZzI4Hk8qmpINvc6wBZFs\naZafHly3mPvxP28rAnEtkjUCEzRuXnovQDrCW8sfNCT1Vhayg+A0cS2iM8rHak25\nSNlac9rq3dVkw1wWdgeVmNwu1bCcKopXLYrwVC70esX9fZxnCtPB0iTjy3g4qvxV\nxfcdsLLQOAYQZdBDtn1M+1GjjG7NLqcP6jD8ySBM+uNwyNiH20LpXmMO9ShysM31\nBrYG+aNJyb8AmrMtNF/MijJqv1SYakhHANK0OsdkgGokZWss7yhe7qOpZVU83z41\nowwpUrSsBO2xRb85nzo7AcoI0na/f965KyQjt7P1stMiTaXd84VucWlNcEH+I4ox\n0zbC4AWgKTbvnMNA2WDSPpx2fkcBS3PdjBi/1MqGES6srz+4oH8MunlqojqKjK9j\n/YkttwQD78cswQPm1LBaZNaFpqtFnFnAjN18E+phb2Y01hTCvwqVj05fp+eDNQM+\nN20HEjc8EDWAmyOGqripUnQ+rRBuPSfkU686szcZwrHFqrz/sh8h0qFRca/Za+4v\nqUGcuX2aS7Q=\n=/zG9\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-11287"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"db": "PACKETSTORM",
"id": "163278"
},
{
"db": "PACKETSTORM",
"id": "155914"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-11287",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2019-012564",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "163278",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "155914",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.0135",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2233",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2432",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1307",
"trust": 0.6
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"db": "PACKETSTORM",
"id": "163278"
},
{
"db": "PACKETSTORM",
"id": "155914"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1307"
},
{
"db": "NVD",
"id": "CVE-2019-11287"
}
]
},
"id": "VAR-201911-1657",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.625
},
"last_update_date": "2025-04-02T19:57:39.118000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2019-11287: RabbitMQ Web Management Plugin DoS via heap overflow",
"trust": 0.8,
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"title": "Pivotal Software RabbitMQ Remediation of resource management error vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=104058"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1307"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-400",
"trust": 1.8
},
{
"problemtype": "CWE-134",
"trust": 1.0
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"db": "NVD",
"id": "CVE-2019-11287"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "https://access.redhat.com/errata/rhsa-2020:0078"
},
{
"trust": 2.2,
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"trust": 1.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-11287"
},
{
"trust": 1.6,
"url": "https://github.com/drunkenshells/disclosures/tree/master/cve-2019-11287-dos%20via%20heap%20overflow-rabbitmq%20web%20management%20plugin"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"trust": 1.4,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11287"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/pytgr3d5fw2o25rxzotizmod2hauvbe4/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/eeq6o7pmnjkyfmqyhab55l423gyk63so/"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2019-11287"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/pytgr3d5fw2o25rxzotizmod2hauvbe4/"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/eeq6o7pmnjkyfmqyhab55l423gyk63so/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163278/ubuntu-security-notice-usn-5004-1.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/155914/red-hat-security-advisory-2020-0078-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2432"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2233"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0135/"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/rabbitmq-server/3.6.10-1ubuntu0.5"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.9-2ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5004-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.5-1ubuntu0.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.2-0ubuntu1.3"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22116"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#important"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"db": "PACKETSTORM",
"id": "163278"
},
{
"db": "PACKETSTORM",
"id": "155914"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1307"
},
{
"db": "NVD",
"id": "CVE-2019-11287"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"db": "PACKETSTORM",
"id": "163278"
},
{
"db": "PACKETSTORM",
"id": "155914"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1307"
},
{
"db": "NVD",
"id": "CVE-2019-11287"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-12-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"date": "2021-06-24T17:57:46",
"db": "PACKETSTORM",
"id": "163278"
},
{
"date": "2020-01-13T18:04:22",
"db": "PACKETSTORM",
"id": "155914"
},
{
"date": "2019-11-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201911-1307"
},
{
"date": "2019-11-23T00:15:10.683000",
"db": "NVD",
"id": "CVE-2019-11287"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-12-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-012564"
},
{
"date": "2021-08-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201911-1307"
},
{
"date": "2025-04-02T14:13:43.180000",
"db": "NVD",
"id": "CVE-2019-11287"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201911-1307"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pivotal RabbitMQ and RabbitMQ for Pivotal Platform Vulnerable to resource exhaustion",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-012564"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "format string error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201911-1307"
}
],
"trust": 0.6
}
}
CVE-2019-11287 (GCVE-0-2019-11287)
Vulnerability from nvd – Published: 2019-11-22 23:26 – Updated: 2024-09-16 22:24
VLAI?
Title
RabbitMQ Web Management Plugin DoS via heap overflow
Summary
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Severity ?
4.5 (Medium)
CWE
- CWE-400 - Denial of Service
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pivotal | RabbitMQ for Pivotal Platform |
Affected:
1.16 , < 1.16.7
(custom)
Affected: 1.17 , < 1.17.4 (custom) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.092Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ for Pivotal Platform",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.16.7",
"status": "affected",
"version": "1.16",
"versionType": "custom"
},
{
"lessThan": "1.17.4",
"status": "affected",
"version": "1.17",
"versionType": "custom"
}
]
},
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v3.7.21",
"status": "affected",
"version": "3.7",
"versionType": "custom"
},
{
"lessThan": "v3.8.1",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:18",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ Web Management Plugin DoS via heap overflow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-11-22T20:51:56.000Z",
"ID": "CVE-2019-11287",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ Web Management Plugin DoS via heap overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ for Pivotal Platform",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.16",
"version_value": "1.16.7"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.17",
"version_value": "1.17.4"
}
]
}
},
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "v3.7.21"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "v3.8.1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11287",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11287",
"datePublished": "2019-11-22T23:26:08.880149Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T22:24:51.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11291 (GCVE-0-2019-11291)
Vulnerability from nvd – Published: 2019-11-22 22:56 – Updated: 2024-09-17 00:31
VLAI?
Title
RabbitMQ XSS attack via federation and shovel endpoints
Summary
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
Severity ?
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Pivotal | RabbitMQ |
Affected:
3.8 , < v3.8.1
(custom)
Affected: 3.7 , < v3.7.20 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11291"
},
{
"name": "RHSA-2020:0553",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0553"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v3.8.1",
"status": "affected",
"version": "3.8",
"versionType": "custom"
},
{
"lessThan": "v3.7.20",
"status": "affected",
"version": "3.7",
"versionType": "custom"
}
]
},
{
"product": "RabbitMQ for Pivotal Platform",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.17.4",
"status": "affected",
"version": "1.17",
"versionType": "custom"
},
{
"lessThan": "1.16.7",
"status": "affected",
"version": "1.16",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting (XSS) - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-19T18:06:05",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11291"
},
{
"name": "RHSA-2020:0553",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0553"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ XSS attack via federation and shovel endpoints",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-11-22T20:37:00.000Z",
"ID": "CVE-2019-11291",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ XSS attack via federation and shovel endpoints"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "v3.8.1"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "v3.7.20"
}
]
}
},
{
"product_name": "RabbitMQ for Pivotal Platform",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.17",
"version_value": "1.17.4"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.16",
"version_value": "1.16.7"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting (XSS) - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11291",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11291"
},
{
"name": "RHSA-2020:0553",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0553"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11291",
"datePublished": "2019-11-22T22:56:08.641103Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-17T00:31:38.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11281 (GCVE-0-2019-11281)
Vulnerability from nvd – Published: 2019-10-16 15:23 – Updated: 2024-09-16 19:05
VLAI?
Title
RabbitMQ XSS attack
Summary
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
Severity ?
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Pivotal | RabbitMQ |
Affected:
prior to v3.7.18
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "prior to v3.7.18"
}
]
},
{
"product": "RabbitMQ for PCF",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "1.15.x prior to 1.15.13"
},
{
"status": "affected",
"version": "11.16.x prior to 1.16.6"
},
{
"status": "affected",
"version": "1.17.x prior to 1.17.3"
}
]
}
],
"datePublic": "2019-10-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting (XSS) - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:24",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ XSS attack",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-10-15T20:59:25.000Z",
"ID": "CVE-2019-11281",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ XSS attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"version_value": "prior to v3.7.18"
}
]
}
},
{
"product_name": "RabbitMQ for PCF",
"version": {
"version_data": [
{
"version_value": "1.15.x prior to 1.15.13"
},
{
"version_value": "11.16.x prior to 1.16.6"
},
{
"version_value": "1.17.x prior to 1.17.3"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting (XSS) - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11281",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11281",
"datePublished": "2019-10-16T15:23:47.309415Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T19:05:38.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11287 (GCVE-0-2019-11287)
Vulnerability from cvelistv5 – Published: 2019-11-22 23:26 – Updated: 2024-09-16 22:24
VLAI?
Title
RabbitMQ Web Management Plugin DoS via heap overflow
Summary
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Severity ?
4.5 (Medium)
CWE
- CWE-400 - Denial of Service
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pivotal | RabbitMQ for Pivotal Platform |
Affected:
1.16 , < 1.16.7
(custom)
Affected: 1.17 , < 1.17.4 (custom) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.092Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ for Pivotal Platform",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.16.7",
"status": "affected",
"version": "1.16",
"versionType": "custom"
},
{
"lessThan": "1.17.4",
"status": "affected",
"version": "1.17",
"versionType": "custom"
}
]
},
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v3.7.21",
"status": "affected",
"version": "3.7",
"versionType": "custom"
},
{
"lessThan": "v3.8.1",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:18",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ Web Management Plugin DoS via heap overflow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-11-22T20:51:56.000Z",
"ID": "CVE-2019-11287",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ Web Management Plugin DoS via heap overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ for Pivotal Platform",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.16",
"version_value": "1.16.7"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.17",
"version_value": "1.17.4"
}
]
}
},
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "v3.7.21"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "v3.8.1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11287",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11287"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11287",
"datePublished": "2019-11-22T23:26:08.880149Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T22:24:51.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11291 (GCVE-0-2019-11291)
Vulnerability from cvelistv5 – Published: 2019-11-22 22:56 – Updated: 2024-09-17 00:31
VLAI?
Title
RabbitMQ XSS attack via federation and shovel endpoints
Summary
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
Severity ?
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Pivotal | RabbitMQ |
Affected:
3.8 , < v3.8.1
(custom)
Affected: 3.7 , < v3.7.20 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11291"
},
{
"name": "RHSA-2020:0553",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0553"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v3.8.1",
"status": "affected",
"version": "3.8",
"versionType": "custom"
},
{
"lessThan": "v3.7.20",
"status": "affected",
"version": "3.7",
"versionType": "custom"
}
]
},
{
"product": "RabbitMQ for Pivotal Platform",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "1.17.4",
"status": "affected",
"version": "1.17",
"versionType": "custom"
},
{
"lessThan": "1.16.7",
"status": "affected",
"version": "1.16",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting (XSS) - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-19T18:06:05",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11291"
},
{
"name": "RHSA-2020:0553",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0553"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ XSS attack via federation and shovel endpoints",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-11-22T20:37:00.000Z",
"ID": "CVE-2019-11291",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ XSS attack via federation and shovel endpoints"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.8",
"version_value": "v3.8.1"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "3.7",
"version_value": "v3.7.20"
}
]
}
},
{
"product_name": "RabbitMQ for Pivotal Platform",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.17",
"version_value": "1.17.4"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.16",
"version_value": "1.16.7"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting (XSS) - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11291",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11291"
},
{
"name": "RHSA-2020:0553",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0553"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11291",
"datePublished": "2019-11-22T22:56:08.641103Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-17T00:31:38.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11281 (GCVE-0-2019-11281)
Vulnerability from cvelistv5 – Published: 2019-10-16 15:23 – Updated: 2024-09-16 19:05
VLAI?
Title
RabbitMQ XSS attack
Summary
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
Severity ?
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Pivotal | RabbitMQ |
Affected:
prior to v3.7.18
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RabbitMQ",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "prior to v3.7.18"
}
]
},
{
"product": "RabbitMQ for PCF",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "1.15.x prior to 1.15.13"
},
{
"status": "affected",
"version": "11.16.x prior to 1.16.6"
},
{
"status": "affected",
"version": "1.17.x prior to 1.17.3"
}
]
}
],
"datePublic": "2019-10-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting (XSS) - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T19:06:24",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RabbitMQ XSS attack",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-10-15T20:59:25.000Z",
"ID": "CVE-2019-11281",
"STATE": "PUBLIC",
"TITLE": "RabbitMQ XSS attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RabbitMQ",
"version": {
"version_data": [
{
"version_value": "prior to v3.7.18"
}
]
}
},
{
"product_name": "RabbitMQ for PCF",
"version": {
"version_data": [
{
"version_value": "1.15.x prior to 1.15.13"
},
{
"version_value": "11.16.x prior to 1.16.6"
},
{
"version_value": "1.17.x prior to 1.17.3"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting (XSS) - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11281",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11281"
},
{
"name": "FEDORA-2019-6497f51791",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"
},
{
"name": "FEDORA-2019-74d2feb5be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"
},
{
"name": "RHSA-2020:0078",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11281",
"datePublished": "2019-10-16T15:23:47.309415Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T19:05:38.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}