CVE-2019-11281

Description

Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

CVSS Metrics

• v3.1•MEDIUM•Score: 4.8CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
• v3.0•LOW•Score: 2.4CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
• v2.0•LOW•Score: 3.5AV:N/AC:M/Au:S/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 1.01%• Percentile: 77%

Techniques & Countermeasures

• CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

• debian•debian_linux

  9.0

• fedoraproject•fedora

  30 | 31

• pivotal_software•rabbitmq

  < 3.7.18 | ≥ 1.15.0, < 1.15.13 | ≥ 1.16.0, < 1.16.6 | ≥ 1.17.0, < 1.17.3

• pivotal•rabbitmq

  prior to v3.7.18

• pivotal•rabbitmq for pcf

  1.15.x prior to 1.15.13 | 11.16.x prior to 1.16.6 | 1.17.x prior to 1.17.3

• redhat•openstack

  15

• redhat•openstack_for_ibm_power

  15

References (5)

• https://pivotal.io/security/cve-2019-11281
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/
• https://access.redhat.com/errata/RHSA-2020:0078
• https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html