CVE-2019-11291

CVE Database · CVE-2019-11291

CVE-2019-11291

· MEDIUMModified

CVSS v3.1

4.8

EPSS

0.80%

Published

Nov 22, 2019

Modified

Apr 2, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79CWE-79

Affected Products (5)

broadcom · rabbitmq_server (up to 3.7.20)vulnerable

broadcom · rabbitmq_servervulnerable

vmware · rabbitmq (up to 1.16.7)vulnerable

vmware · rabbitmq (up to 1.17.4)vulnerable

redhat · openstackvulnerable

References (4)

https://access.redhat.com/errata/RHSA-2020:0553