Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-11281

Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

Published

2019-10-16T16:15:10.340

Last Modified

2024-11-21T04:20:50.700

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pivotal_software	rabbitmq	< 3.7.18	Yes
Application	pivotal_software	rabbitmq	< 1.15.13	Yes
Application	pivotal_software	rabbitmq	< 1.16.6	Yes
Application	pivotal_software	rabbitmq	< 1.17.3	Yes
Application	redhat	openstack	15	Yes
Application	redhat	openstack_for_ibm_power	15	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	fedoraproject	fedora	31	Yes

References

https://access.redhat.com/errata/RHSA-2020:0078 Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/ ([email protected])
https://pivotal.io/security/cve-2019-11281 Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2020:0078 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/ (af854a3a-2127-422b-91ae-364da2661108)
https://pivotal.io/security/cve-2019-11281 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)