Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mageia: Security Advisory (MGASA-2015-0240)

🗓️ 28 Jan 2022 00:00:00Reported by Copyright (C) 2022 Greenbone AGType 
openvas
 openvas🔗 plugins.openvas.org👁 23 Views

Security update for 'rabbitmq-server' package on Mageia

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Vulnerability in Rational Engineering Lifecycle Manager, Rational Software Architect Design Manager and Rhapsody Design Manager (CVE-2014-3037)
17 Jun 201804:56
ibm
IBM Security Bulletins		Security Bulletin: Critical security vulnerability in Jazz Team Server affecting Rational Software Architect Design Manager and Rational Rhapsody Design Manager (CVE-2014-0862)
17 Jun 201804:53
ibm
IBM Security Bulletins		Security Bulletin: Critical security vulnerability in Jazz Team Server affecting all CLM Applications (CVE-2014-0862)
28 Apr 202118:35
ibm
FreeBSD		rabbitmq -- Security issues in management plugin
8 Jan 201500:00
freebsd
CNVD		Pivotal Software RabbitMQ management plugin cross-site scripting vulnerability
23 Jan 201500:00
cnvd
CNVD		Pivotal Software RabbitMQ management plugin cross-site scripting vulnerability (CNVD-2015-00813)
29 Jan 201500:00
cnvd
CNVD		Pivotal Software management plugin CRLF injection vulnerability
29 Jan 201500:00
cnvd
CVE		CVE-2014-0862
2 Mar 201402:00
cve
CVE		CVE-2014-9649
27 Jan 201517:00
cve
CVE		CVE-2014-9650
27 Jan 201517:00
cve
Rows per page
# SPDX-FileCopyrightText: 2022 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.1.10.2015.0240");
  script_cve_id("CVE-2014-0862", "CVE-2014-9649", "CVE-2014-9650");
  script_tag(name:"creation_date", value:"2022-01-28 10:58:44 +0000 (Fri, 28 Jan 2022)");
  script_version("2024-10-23T05:05:59+0000");
  script_tag(name:"last_modification", value:"2024-10-23 05:05:59 +0000 (Wed, 23 Oct 2024)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_name("Mageia: Security Advisory (MGASA-2015-0240)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2022 Greenbone AG");
  script_family("Mageia Linux Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/mageia_linux", "ssh/login/release", re:"ssh/login/release=MAGEIA4");

  script_xref(name:"Advisory-ID", value:"MGASA-2015-0240");
  script_xref(name:"URL", value:"https://advisories.mageia.org/MGASA-2015-0240.html");
  script_xref(name:"URL", value:"http://openwall.com/lists/oss-security/2015/01/27/8");
  script_xref(name:"URL", value:"http://www.rabbitmq.com/news.html");
  script_xref(name:"URL", value:"https://bugs.mageia.org/show_bug.cgi?id=15120");
  script_xref(name:"URL", value:"https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs");

  script_tag(name:"summary", value:"The remote host is missing an update for the 'rabbitmq-server' package(s) announced via the MGASA-2015-0240 advisory.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");

  script_tag(name:"insight", value:"Updated rabbitmq-server package fixes security vulnerabilities:

RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error
messages which could act as an XSS vector (CVE-2014-9649).

RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads
(CVE-2014-9650).

In RabbitMQ before 3.4.3, some user-controllable content was not properly
HTML-escaped before being presented to a user in the management web UI.
An attacker could publish a specially crafted message, policy name, or client
version to execute arbitrary Javascript code on behalf of a user who was
viewing messages, policies, or connected clients in the management UI. In all
cases, the attacker needs a valid user account on the targeted RabbitMQ
cluster (CVE-2015-0862).

The rabbitmq-server package has been updated to version 3.5.3, fixing these
issues and several other bugs.");

  script_tag(name:"affected", value:"'rabbitmq-server' package(s) on Mageia 4.");

  script_tag(name:"solution", value:"Please install the updated package(s).");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";
report = "";

if(release == "MAGEIA4") {

  if(!isnull(res = isrpmvuln(pkg:"rabbitmq-server", rpm:"rabbitmq-server~3.5.3~1.mga4", rls:"MAGEIA4"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if(__pkg_match) {
    exit(99);
  }
  exit(0);
}

exit(0);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Oct 2024 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 210
EPSS0.17369
cve-2014-9649cve-2014-9650cve-2015-0862xss vectorresponse splittinghtml-escapedmageia 4
23