Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-32718

Опубликовано: 06 мая 2021
Источник: redhat
CVSS3: 5.4
EPSS Низкий

Описание

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper <script> tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable rabbitmq_management plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.

Отчет

Red Hat OpenStack Platform ships a vulnerable version of RabbitMQ but it is not exposed outside the management network. As this network is tightly-regulated to OpenStack administrators, the risk for abuse is significantly reduced.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Tower 3rabbitmq-serverNot affected
Red Hat OpenStack Platform 10 (Newton)rabbitmq-serverOut of support scope
Red Hat OpenStack Platform 13 (Queens)rabbitmq-serverOut of support scope
Red Hat OpenStack Platform 16.1rabbitmq-serverFixedRHSA-2022:886707.12.2022
Red Hat OpenStack Platform 16.2rabbitmq-serverFixedRHSA-2022:885107.12.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1977002rabbitmq-server: improper neutralization of script-related HTML tags in a web page (basic XSS) in management UI

EPSS

Процентиль: 22%
0.00071
Низкий

5.4 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-32718

CVSS3: 3.1
ubuntu
больше 4 лет назад

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper `<script>` tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.

nvd логотип

CVE-2021-32718

CVSS3: 3.1
nvd
больше 4 лет назад

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper `<script>` tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.

debian логотип

CVE-2021-32718

CVSS3: 3.1
debian
больше 4 лет назад

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prio ...

fstec логотип

BDU:2025-04152

CVSS3: 3.1
fstec
больше 4 лет назад

Уязвимость брокера сообщений RabbitMQ, связанная с непринятием мер по нейтрализации script-related тэгов html на веб-странице, позволяющая нарушителю оказать воздействие на целостность данных

suse-cvrf логотип

openSUSE-SU-2021:3325-1

suse-cvrf
больше 4 лет назад

Security update for rabbitmq-server

EPSS

Процентиль: 22%
0.00071
Низкий

5.4 Medium

CVSS3