[manjaro-security] [ASA-202107-17] rabbitmq: cross-site scripting
Jonas Witschel via arch-security
arch-security at lists.archlinux.org
Fri Jul 9 16:16:34 CEST 2021
Arch Linux Security Advisory ASA-202107-17
==========================================
Severity: Low
Date : 2021-07-06
CVE-ID : CVE-2021-32718 CVE-2021-32719
Package : rabbitmq
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-2109
Summary
=======
The package rabbitmq before version 3.8.19-1 is vulnerable to cross-
site scripting.
Resolution
==========
Upgrade to 3.8.19-1.
# pacman -Syu "rabbitmq>=3.8.19-1"
The problems have been fixed upstream in version 3.8.19.
Workaround
==========
As a workaround, disable the rabbitmq_management plugin and use CLI
tools for management operations and Prometheus and Grafana for metrics
and monitoring.
Description
===========
- CVE-2021-32718 (cross-site scripting)
In rabbitmq-server prior to version 3.8.17, a new user being added via
management UI could lead to the user's bane being rendered in a
confirmation message without proper <script> tag sanitization,
potentially allowing for JavaScript code execution in the context of
the page. In order for this to occur, the user must be signed in and
have elevated permissions (other user management).
- CVE-2021-32719 (cross-site scripting)
In rabbitmq-server prior to version 3.8.18, when a federation link was
displayed in the RabbitMQ management UI via the
rabbitmq_federation_management plugin, its consumer tag was rendered
without proper <script> tag sanitization, potentially allowing for
JavaScript code execution in the context of the page.
Impact
======
Crafted user banes and federation links could be used to inject
arbitrary JavaScript code into the management web UI.
References
==========
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772
https://github.com/rabbitmq/rabbitmq-server/pull/3028
https://github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c245094d8022e81299
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x
https://github.com/rabbitmq/rabbitmq-server/pull/3122
https://github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece2800cd80971e2bd05
https://security.archlinux.org/CVE-2021-32718
https://security.archlinux.org/CVE-2021-32719
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20210709/dcfe7369/attachment.sig>
More information about the manjaro-security
mailing list