CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
40.6%
RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to
version 3.8.18, when a federation link was displayed in the RabbitMQ
management UI via the rabbitmq_federation_management
plugin, its consumer
tag was rendered without proper <script> tag sanitization. This potentially
allows for JavaScript code execution in the context of the page. The user
must be signed in and have elevated permissions (manage federation
upstreams and policies) for this to occur. The vulnerability is patched in
RabbitMQ 3.8.18. As a workaround, disable the
rabbitmq_federation_management
plugin and use CLI
tools instead.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | rabbitmq-server | < any | UNKNOWN |
ubuntu | 20.04 | noarch | rabbitmq-server | < any | UNKNOWN |
ubuntu | 16.04 | noarch | rabbitmq-server | < any | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
40.6%