CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
86.2%
Updated rabbitmq-server package fixes security vulnerabilities: RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error messages which could act as an XSS vector (CVE-2014-9649). RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads (CVE-2014-9650). In RabbitMQ before 3.4.3, some user-controllable content was not properly HTML-escaped before being presented to a user in the management web UI. An attacker could publish a specially crafted message, policy name, or client version to execute arbitrary Javascript code on behalf of a user who was viewing messages, policies, or connected clients in the management UI. In all cases, the attacker needs a valid user account on the targetted RabbitMQ cluster (CVE-2015-0862). The rabbitmq-server package has been updated to version 3.5.3, fixing these issues and several other bugs.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 4 | noarch | rabbitmq-server | < 3.5.3-1 | rabbitmq-server-3.5.3-1.mga4 |