Headline
GHSA-pj33-75x5-32j4: RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission
Summary
Queue deletion via the HTTP API was not verifying the configure
permission of the user.
Impact
Users who had all of the following:
- Valid credentials
- Some permissions for the target virtual host
- HTTP API access
could delete queues it had no (deletion) permissions for.
Workarounds
Disable management plugin and use, for example, Prometheus and Grafana for monitoring.
OWASP Classification
OWASP Top10 A01:2021 – Broken Access Control
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-51988
RabbitMQ HTTP API’s queue deletion endpoint does not verify that the user has a required permission
High severity GitHub Reviewed Published Nov 6, 2024 in rabbitmq/rabbitmq-server • Updated Nov 6, 2024
Package
erlang rabbit_common (Erlang)
Affected versions
>= 3.12.7, < 3.12.11
Summary
Queue deletion via the HTTP API was not verifying the configure permission of the user.
Impact
Users who had all of the following:
- Valid credentials
- Some permissions for the target virtual host
- HTTP API access
could delete queues it had no (deletion) permissions for.
Workarounds
Disable management plugin and use, for example, Prometheus and Grafana for monitoring.
OWASP Classification
OWASP Top10 A01:2021 – Broken Access Control
References
- GHSA-pj33-75x5-32j4
- https://www.rabbitmq.com/docs/prometheus
Published to the GitHub Advisory Database
Nov 6, 2024