Headline
CVE-2021-32718: Build software better, together
RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user’s bane being rendered in a confirmation message without proper <script> tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable rabbitmq_management plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.
Affected versions
< 3.8.17
Our team would like to thank Christian Rellmann from usd AG for responsibly disclosing
the vulnerability and helping us verify a fix.
Impact
When a new user was added via management UI, its name was rendered in a confirmation
message without proper <script> tag sanitization, potentially allowing for JavaScript code
execution in the context of the page.
The user must be signed in and have elevated permissions (other user management).
Patches
- The vulnerability is patched in RabbitMQ
3.8.17or a later version. - rabbitmq/rabbitmq-server#3028
Workarounds
Disable rabbitmq_management plugin and use CLI tools for management operations
and Prometheus and Grafana for metrics and monitoring.
References
None.
For more information
If you have any questions or comments about this advisory, please contact [email protected].
CWEs
CVSS Score
3.1 Low
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N