Bugzilla – Bug 1187819
VUL-0: CVE-2021-32719: rabbitmq-server: improper neutralization of script-related HTML tags in a web page (basic XSS) in federation management plugin
Last modified: 2024-06-19 08:30:25 UTC
rh#1977008 RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead. Reference: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x Upstream patch: https://github.com/rabbitmq/rabbitmq-server/pull/3122 References: https://bugzilla.redhat.com/show_bug.cgi?id=1977008 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32719 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32719 https://github.com/rabbitmq/rabbitmq-server/pull/3122 https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x
| SLES11-SP3 | SLES15-SP2 | SLES15-SP3 rabbitmq-server | 2.8.7 | 3.8.3 | 3.8.11 It seems to me that the bug does not affect version 2.8.7. Can you please confirm?
(In reply to Danilo Spinella from comment #3) > | SLES11-SP3 | SLES15-SP2 | SLES15-SP3 > rabbitmq-server | 2.8.7 | 3.8.3 | 3.8.11 > > It seems to me that the bug does not affect version 2.8.7. Can you please > confirm? still under support are these codestreams: SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/rabbitmq-server SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rabbitmq-server SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rabbitmq-server SUSE:SLE-15-SP2:Update/rabbitmq-server SUSE:SLE-15-SP3:Update/rabbitmq-server SLES11-SP3 is not supported anymore. for Cloud* it might be enough to re-assign to cloud-bugs@suse.de
SUSE-SU-2021:3254-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185075,1186203,1187818,1187819 CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): rabbitmq-server-3.8.3-3.3.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1334-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185075,1186203,1187818,1187819 CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719 JIRA References: Sources used: openSUSE Leap 15.2 (src): rabbitmq-server-3.8.3-lp152.2.3.1
openSUSE-SU-2021:3325-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185075,1186203,1187818,1187819 CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719 JIRA References: Sources used: openSUSE Leap 15.3 (src): rabbitmq-server-3.8.11-3.3.3
SUSE-SU-2021:3325-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185075,1186203,1187818,1187819 CVE References: CVE-2021-22116,CVE-2021-32718,CVE-2021-32719 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): rabbitmq-server-3.8.11-3.3.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.
SUSE-FU-2024:2078-1: An update that solves five vulnerabilities, contains one feature and has five fixes can now be installed. Category: feature (important) Bug References: 1181400, 1185075, 1186203, 1187818, 1187819, 1199431, 1205267, 1216582, 1219532, 1222591 CVE References: CVE-2021-22116, CVE-2021-32718, CVE-2021-32719, CVE-2022-31008, CVE-2023-46118 Jira References: PED-8414 Maintenance Incident: [SUSE:Maintenance:34194](https://smelt.suse.de/incident/34194/) Sources used: openSUSE Leap 15.3 (src): erlang26-26.2.1-150300.7.5.1, elixir115-1.15.7-150300.7.5.1 openSUSE Leap 15.6 (src): erlang26-26.2.1-150300.7.5.1, elixir115-1.15.7-150300.7.5.1, rabbitmq-server313-3.13.1-150600.13.5.3 Server Applications Module 15-SP6 (src): erlang26-26.2.1-150300.7.5.1, rabbitmq-server313-3.13.1-150600.13.5.3, elixir115-1.15.7-150300.7.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.