CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
40.6%
Severity: Low
Date : 2021-07-06
CVE-ID : CVE-2021-32718 CVE-2021-32719
Package : rabbitmq
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-2109
The package rabbitmq before version 3.8.19-1 is vulnerable to cross-
site scripting.
Upgrade to 3.8.19-1.
The problems have been fixed upstream in version 3.8.19.
As a workaround, disable the rabbitmq_management plugin and use CLI
tools for management operations and Prometheus and Grafana for metrics
and monitoring.
In rabbitmq-server prior to version 3.8.17, a new user being added via
management UI could lead to the user’s bane being rendered in a
confirmation message without proper <script> tag sanitization,
potentially allowing for JavaScript code execution in the context of
the page. In order for this to occur, the user must be signed in and
have elevated permissions (other user management).
In rabbitmq-server prior to version 3.8.18, when a federation link was
displayed in the RabbitMQ management UI via the
rabbitmq_federation_management plugin, its consumer tag was rendered
without proper <script> tag sanitization, potentially allowing for
JavaScript code execution in the context of the page.
Crafted user banes and federation links could be used to inject
arbitrary JavaScript code into the management web UI.
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772
https://github.com/rabbitmq/rabbitmq-server/pull/3028
https://github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c245094d8022e81299
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x
https://github.com/rabbitmq/rabbitmq-server/pull/3122
https://github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece2800cd80971e2bd05
https://security.archlinux.org/CVE-2021-32718
https://security.archlinux.org/CVE-2021-32719
github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece2800cd80971e2bd05
github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c245094d8022e81299
github.com/rabbitmq/rabbitmq-server/pull/3028
github.com/rabbitmq/rabbitmq-server/pull/3122
github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x
github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772
security.archlinux.org/AVG-2109
security.archlinux.org/CVE-2021-32718
security.archlinux.org/CVE-2021-32719
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
40.6%