Headline
CVE-2021-22117: CVE-2021-22117 | Security
RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins.
All Vulnerability Reports
CVE-2021-22117: RabbitMQ Sever vulnerable to arbitrary code execution attack
Severity
High
Vendor
VMware Tanzu
Description
RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins.
A malicious actor can execute arbitrary code on the running RabbitMQ server by adding arbitrary plugins.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- RabbitMQ
- obsolete-default.x versions
- 3.8.x versions prior to 3.8.16
Mitigation
Users of affected versions should apply the following mitigation or upgrade:
- RabbitMQ
- 3.8.16
Credit
Robert Chen from DeepSurface Security
References
- https://tanzu.vmware.com/security/cve-2021-22117
History
2021-05-10: Initial vulnerability report published.