[manjaro-security] [ASA-202107-17] rabbitmq: cross-site scripting
Jonas Witschel via arch-security
arch-security at lists.archlinux.org
Fri Jul 9 16:16:34 CEST 2021
Arch Linux Security Advisory ASA-202107-17
Date : 2021-07-06
CVE-ID : CVE-2021-32718 CVE-2021-32719
Package : rabbitmq
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-2109
The package rabbitmq before version 3.8.19-1 is vulnerable to cross-
Upgrade to 3.8.19-1.
# pacman -Syu "rabbitmq>=3.8.19-1"
The problems have been fixed upstream in version 3.8.19.
As a workaround, disable the rabbitmq_management plugin and use CLI
tools for management operations and Prometheus and Grafana for metrics
- CVE-2021-32718 (cross-site scripting)
In rabbitmq-server prior to version 3.8.17, a new user being added via
management UI could lead to the user's bane being rendered in a
confirmation message without proper <script> tag sanitization,
the page. In order for this to occur, the user must be signed in and
have elevated permissions (other user management).
- CVE-2021-32719 (cross-site scripting)
In rabbitmq-server prior to version 3.8.18, when a federation link was
displayed in the RabbitMQ management UI via the
rabbitmq_federation_management plugin, its consumer tag was rendered
without proper <script> tag sanitization, potentially allowing for
Crafted user banes and federation links could be used to inject
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the manjaro-security