Source: rabbitmq-server X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for rabbitmq-server. CVE-2021-32719[0]: | RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server | prior to version 3.8.18, when a federation link was displayed in the | RabbitMQ management UI via the `rabbitmq_federation_management` | plugin, its consumer tag was rendered without proper <script> | tag sanitization. This potentially allows for JavaScript code | execution in the context of the page. The user must be signed in and | have elevated permissions (manage federation upstreams and policies) | for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As | a workaround, disable the `rabbitmq_federation_management` plugin and | use [CLI tools](https://www.rabbitmq.com/cli.html) instead. https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x https://github.com/rabbitmq/rabbitmq-server/pull/3122 CVE-2021-32718[1]: | RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server | prior to version 3.8.17, a new user being added via management UI | could lead to the user's bane being rendered in a confirmation message | without proper `<script>` tag sanitization, potentially allowing | for JavaScript code execution in the context of the page. In order for | this to occur, the user must be signed in and have elevated | permissions (other user management). The vulnerability is patched in | RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin | and use CLI tools for management operations and Prometheus and Grafana | for metrics and monitoring. https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772 https://github.com/rabbitmq/rabbitmq-server/pull/3028 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32719 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32719 [1] https://security-tracker.debian.org/tracker/CVE-2021-32718 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32718 Please adjust the affected versions in the BTS as needed.
