Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in RabbitMQ federation management plugin
CVE-2021-32719

3.1LOW

Key Information:

Vendor

RabbitMQ

Status
RabbitMQ-server
Vendor
CVE Published:
28 June 2021

What is CVE-2021-32719?

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the rabbitmq_federation_management plugin, its consumer tag was rendered without proper tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the rabbitmq_federation_management plugin and use CLI tools instead.

Affected Version(s)

rabbitmq-server < 3.8.18

References

https://github.com/rabbitmq/rabbitmq-server/security/advi...
x_refsource_CONFIRM
https://github.com/rabbitmq/rabbitmq-server/pull/3122
x_refsource_MISC
https://herolab.usd.de/security-advisories/usd-2021-0011/
x_refsource_MISC

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.