CVE-2019-11281: RabbitMQ XSS attack
First published: Wed Oct 16 2019(Updated: )
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
Credit: security@pivotal.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pivotal Software RabbitMQ | <3.7.18 | |
| Pivotal Software Rabbitmq | >=1.15.0<1.15.13 | |
| Pivotal Software Rabbitmq | >=1.16.0<1.16.6 | |
| Pivotal Software Rabbitmq | >=1.17.0<1.17.3 | |
| Redhat Openstack | =15 | |
| Redhat Openstack For Ibm Power | =15 | |
| Debian Debian Linux | =9.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2020:0078
- https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/
- https://pivotal.io/security/cve-2019-11281
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/
Frequently Asked Questions
What is the severity of CVE-2019-11281?
The severity of CVE-2019-11281 is medium with a CVSS score of 4.8.
Which versions of Pivotal RabbitMQ and RabbitMQ for PCF are affected by CVE-2019-11281?
Pivotal RabbitMQ versions prior to v3.7.18, RabbitMQ for PCF versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3 are affected by CVE-2019-11281.
What components in Pivotal RabbitMQ and RabbitMQ for PCF are affected by CVE-2019-11281?
The virtual host limits page and the federation management UI in Pivotal RabbitMQ and RabbitMQ for PCF are affected by CVE-2019-11281.
How can user input be improperly sanitized in Pivotal RabbitMQ and RabbitMQ for PCF?
User input may not be properly sanitized in the virtual host limits page and the federation management UI in Pivotal RabbitMQ and RabbitMQ for PCF.
How can I fix CVE-2019-11281?
To fix CVE-2019-11281, upgrade to Pivotal RabbitMQ version 3.7.18 or later and RabbitMQ for PCF version 1.15.13 or later.
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/title
- agent/severity
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/pivotal software
- canonical/pivotal software rabbitmq
- version/pivotal software rabbitmq/1.15.0
- version/pivotal software rabbitmq/1.16.0
- version/pivotal software rabbitmq/1.17.0
- vendor/redhat
- canonical/redhat openstack
- version/redhat openstack/15
- canonical/redhat openstack for ibm power
- version/redhat openstack for ibm power/15
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31