Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2021-32718

Published: 28 June 2021

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper `<script>` tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.

Priority

Low

CVSS 3 base score: 5.4

Status

Package Release Status
rabbitmq-server
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Not vulnerable
(3.9.8-6)
kinetic Not vulnerable
(3.9.8-6)
trusty Does not exist

upstream
Released (3.8.17,3.9.4-1)
xenial Needed

Patches:
upstream: https://github.com/rabbitmq/rabbitmq-server/pull/3028