CVE-2019-11291

NameCVE-2019-11291
DescriptionPivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs945601

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rabbitmq-server (PTS)jessie, jessie (lts)3.3.5-1.1+deb8u1vulnerable
stretch (security)3.6.6-1+deb9u2fixed
stretch (lts), stretch3.6.6+really3.8.9-0+deb9u2fixed
buster (security), buster, buster (lts)3.8.2-1+deb10u2vulnerable
bullseye (security), bullseye3.8.9-3+deb11u1fixed
bookworm (security), bookworm3.10.8-1.1+deb12u1fixed
sid, trixie3.10.8-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rabbitmq-serversourcestretch(not affected)
rabbitmq-serversource(unstable)3.8.3-1945601

Notes

[buster] - rabbitmq-server <no-dsa> (Minor issue)
[stretch] - rabbitmq-server <not-affected> (Vulnerable code not present)
[jessie] - rabbitmq-server <postponed> (Minor issue)
https://github.com/rabbitmq/rabbitmq-shovel-management/commit/c22992b289dddadba866ac2b7fc697bc66847e4f
https://github.com/rabbitmq/rabbitmq-federation-management/commit/52bf0ffbb8695060b1ae909266b9b62717e7ba2d
https://pivotal.io/security/cve-2019-11291
[wheezy] - rabbitmq-server <no-dsa> (Minor issue, requires administrative access)
Search for package or bug name: Reporting problems