Bugzilla – Bug 915325
VUL-0: CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability
Last modified: 2017-08-04 09:25:56 UTC
rh#1185514 Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message. References: https://bugzilla.redhat.com/show_bug.cgi?id=1185514 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9649 http://seclists.org/oss-sec/2015/q1/273 http://www.openwall.com/lists/oss-security/2015/01/21/13 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9649.html https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs http://www.rabbitmq.com/release-notes/README-3.4.1.txt
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-03-12. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60836
Cloud 5 is not affected afaict, Cloud 4 needs a fix.
update is still stuck in maintenance-QA :-(
This is still open for: openSUSE 13.2 3.3.5 Already fixed later. Assigning to openSUSE maintainer. Please indicate if you want to fix this in 13.2.
fixed in current products, Leap and Factory