CVE-2021-32719

Published: Jun 28, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

3.1

LOW

Description

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead.

Vendor	Product	Versions
rabbitmq	rabbitmq-server	affected `< 3.8.18`

Weaknesses (CWE)

CWE-80

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x

x_refsource_CONFIRM

https://github.com/rabbitmq/rabbitmq-server/pull/3122

x_refsource_MISC

https://herolab.usd.de/security-advisories/usd-2021-0011/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-32719

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References