CVE-2021-32719

CVE Database · CVE-2021-32719

CVE-2021-32719

· LOWModified

CVSS v3.1

3.1

EPSS

1.42%

Published

Jun 28, 2021

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

Weaknesses (CWE)

CWE-80CWE-79

Affected Products (1)

vmware · rabbitmq (up to 3.8.18)vulnerable

References (6)

https://github.com/rabbitmq/rabbitmq-server/pull/3122

PatchThird Party Advisory

https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x

MitigationThird Party Advisory

https://herolab.usd.de/security-advisories/usd-2021-0011/

ExploitThird Party Advisory

https://github.com/rabbitmq/rabbitmq-server/pull/3122

PatchThird Party Advisory

https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x

MitigationThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs