CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
40.6%
RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to
version 3.8.17, a new user being added via management UI could lead to the
user’s bane being rendered in a confirmation message without proper
<script>
tag sanitization, potentially allowing for JavaScript code
execution in the context of the page. In order for this to occur, the user
must be signed in and have elevated permissions (other user management).
The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable
rabbitmq_management
plugin and use CLI tools for management operations
and Prometheus and Grafana for metrics and monitoring.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | rabbitmq-server | < any | UNKNOWN |
ubuntu | 20.04 | noarch | rabbitmq-server | < any | UNKNOWN |
ubuntu | 16.04 | noarch | rabbitmq-server | < any | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
40.6%