An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2017-4965 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects rabbitmq-server plugins as shipped with:
* Red Hat Storage Console 2
* Red Hat Enterprise Linux OpenStack Platform 5,6,7
* Red Hat OpenStack Platform 8,9,10,11
Although RabbitMQ plugins are shipped in these products, no plugins are enabled or used by default.
To verify your environment's plugin usage, run:
A future update may address this issue. Red Hat Product Security has rated this issue as having Moderate security impact. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 6.1 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity Impact | Low |
Availability Impact | None |
Platform | Package | State |
---|---|---|
Red Hat Storage Console 2 | rabbitmq-server | Will not fix |
Red Hat OpenStack Platform 9.0 | rabbitmq-server | Will not fix |
Red Hat OpenStack Platform 8.0 (Liberty) | rabbitmq-server | Will not fix |
Red Hat OpenStack Platform 11.0 (Ocata) | rabbitmq-server | Will not fix |
Red Hat OpenStack Platform 10 | rabbitmq-server | Will not fix |
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | rabbitmq-server | Will not fix |
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | rabbitmq-server | Will not fix |
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | rabbitmq-server | Will not fix |