Debian Bug report logs -
#990524
rabbitmq-server: CVE-2021-32719 CVE-2021-32718
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#990524; Package src:rabbitmq-server.
(Thu, 01 Jul 2021 11:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>.
(Thu, 01 Jul 2021 11:24:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rabbitmq-server
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for rabbitmq-server.
CVE-2021-32719[0]:
| RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server
| prior to version 3.8.18, when a federation link was displayed in the
| RabbitMQ management UI via the `rabbitmq_federation_management`
| plugin, its consumer tag was rendered without proper <script>
| tag sanitization. This potentially allows for JavaScript code
| execution in the context of the page. The user must be signed in and
| have elevated permissions (manage federation upstreams and policies)
| for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As
| a workaround, disable the `rabbitmq_federation_management` plugin and
| use [CLI tools](https://www.rabbitmq.com/cli.html) instead.
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x
https://github.com/rabbitmq/rabbitmq-server/pull/3122
CVE-2021-32718[1]:
| RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server
| prior to version 3.8.17, a new user being added via management UI
| could lead to the user's bane being rendered in a confirmation message
| without proper `<script>` tag sanitization, potentially allowing
| for JavaScript code execution in the context of the page. In order for
| this to occur, the user must be signed in and have elevated
| permissions (other user management). The vulnerability is patched in
| RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin
| and use CLI tools for management operations and Prometheus and Grafana
| for metrics and monitoring.
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772
https://github.com/rabbitmq/rabbitmq-server/pull/3028
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32719
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32719
[1] https://security-tracker.debian.org/tracker/CVE-2021-32718
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32718
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 01 Jul 2021 13:12:02 GMT) (full text, mbox, link).
Marked as found in versions rabbitmq-server/3.8.9-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 01 Jul 2021 13:12:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jul 1 16:15:47 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon