Bug 915326 (CVE-2014-9650) - VUL-0: CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
Summary: VUL-0: CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
Status: RESOLVED WONTFIX
Alias: CVE-2014-9650
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2015-03-12
Assignee: Bernhard Wiedemann
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/113205/
Whiteboard: CVSSv2:RedHat:CVE-2014-9650:4.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-29 09:29 UTC by Victor Pereira
Modified: 2016-04-27 19:00 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-29 09:29:24 UTC 
rh#1185515

CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through
3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and
conduct HTTP response splitting attacks via the download parameter to
api/definitions.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9650
http://seclists.org/oss-sec/2015/q1/273
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9650.html
Comment 1 Swamp Workflow Management 2015-01-29 23:00:47 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2015-02-26 15:25:33 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60836
Comment 5 Vincent Untz 2015-03-17 08:40:55 UTC 
Cloud 5 is not affected afaict, Cloud 4 needs a fix.