RabbitMQ is an implementation of AMQP, the emerging standard for high
performance enterprise messaging. The RabbitMQ server is a robust and
scalable implementation of an AMQP broker.
A cross-site scripting vulnerability was discovered in RabbitMQ, which
allowed using api/ path info to inject and receive data. A remote attacker
could use this flaw to create an “/api/…” URL, forcing a server error
that resulted in the server returning an HTML page with embedded text from
the URL (not escaped). (CVE-2014-9649)
A response-splitting vulnerability was discovered in RabbitMQ.
An /api/definitions URL could be specified, which then caused an arbitrary
additional header to be returned. A remote attacker could use this flaw to
inject arbitrary HTTP headers and possibly gain access to secure data.
(CVE-2014-9650)
This update also fixes the following bug:
All rabbitmq-server users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 7 | noarch | rabbitmq-server | < 3.3.5-18.el7ost | rabbitmq-server-3.3.5-18.el7ost.noarch.rpm |
RedHat | 7 | src | rabbitmq-server | < 3.3.5-18.el7ost | rabbitmq-server-3.3.5-18.el7ost.src.rpm |