Bug 1157664 - (CVE-2019-11291) VUL-0: CVE-2019-11291: rabbitmq-server: XSS via vhost or node name fields could grant access to virtual hosts and policy management information
(CVE-2019-11291)
VUL-0: CVE-2019-11291: rabbitmq-server: XSS via vhost or node name fields cou...
Status: RESOLVED WORKSFORME
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/247874/
CVSSv2:NVD:CVE-2019-11291:3.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-25 09:52 UTC by Alexander Bergmann
Modified: 2020-01-30 12:14 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-11-25 09:52:01 UTC
CVE-2019-11291

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1,
and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior
to 1.17.4, contain two endpoints, federation and shovel, which do not properly
sanitize user input. A remote authenticated malicious user with administrative
access could craft a cross site scripting attack via the vhost or node name
fields that could grant access to virtual hosts and policy management
information.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11291
https://pivotal.io/security/cve-2019-11291
Comment 1 Alexander Bergmann 2019-11-25 10:29:00 UTC
Unclear which commit fixes this issue.