https://bugzilla.redhat.com/show_bug.cgi?id=1448336
Bug ID: 1448336 Summary: CVE-2017-4967 rabbitmq: XSS vulnerability in management UI Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: aortega@redhat.com, apevec@redhat.com, ayoung@redhat.com, chrisw@redhat.com, cvsbot-xmlrpc@redhat.com, erlang@lists.fedoraproject.org, hubert.plociniczak@gmail.com, jeckersb@redhat.com, jjoyce@redhat.com, josh@fornwall.com, jschluet@redhat.com, kbasil@redhat.com, lemenkov@gmail.com, lhh@redhat.com, lpeer@redhat.com, markmc@redhat.com, plemenko@redhat.com, rbryant@redhat.com, rjones@redhat.com, sclewis@redhat.com, sisharma@redhat.com, srevivo@redhat.com, s@shk.io, tdecacqu@redhat.com
A cross site scripting vulnerability was found in the management UI of RabbitMQ.
External References:
https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_9
https://bugzilla.redhat.com/show_bug.cgi?id=1448336
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |rabbitmq-server 3.6.9
https://bugzilla.redhat.com/show_bug.cgi?id=1448336
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1448338, 1448339
--- Comment #1 from Andrej Nemec anemec@redhat.com --- Created rabbitmq-server tracking bugs for this issue:
Affects: epel-all [bug 1448338] Affects: fedora-24 [bug 1448339]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1448338 [Bug 1448338] CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 rabbitmq-server: various flaws [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1448339 [Bug 1448339] CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 rabbitmq-server: various flaws [fedora-24]
https://bugzilla.redhat.com/show_bug.cgi?id=1448336
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1448341
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0329,reported=20170422,sour |0329,reported=20170422,sour |ce=gentoo,cvss3=6.1/CVSS:3. |ce=gentoo,cvss3=6.1/CVSS:3. |0/AV:N/AC:L/PR:N/UI:R/S:C/C |0/AV:N/AC:L/PR:N/UI:R/S:C/C |:L/I:L/A:N,cwe=CWE-79,fedor |:L/I:L/A:N,cwe=CWE-79,fedor |a-24/rabbitmq-server=affect |a-24/rabbitmq-server=affect |ed,fedora-25/rabbitmq-serve |ed,fedora-25/rabbitmq-serve |r=notaffected,epel-all/rabb |r=notaffected,epel-all/rabb |itmq-server=affected,rhscon |itmq-server=affected,rhscon |-2/rabbitmq-server=new,open |-2/rabbitmq-server=new,open |stack-5/rabbitmq-server=new |stack-5/rabbitmq-server=won |,openstack-6/rabbitmq-serve |tfix,openstack-6/rabbitmq-s |r=new,openstack-7/rabbitmq- |erver=wontfix,openstack-7/r |server=new,openstack-8/rabb |abbitmq-server=wontfix,open |itmq-server=new,openstack-9 |stack-8/rabbitmq-server=won |/rabbitmq-server=new,openst |tfix,openstack-9/rabbitmq-s |ack-10/rabbitmq-server=new, |erver=wontfix,openstack-10/ |openstack-11/rabbitmq-serve |rabbitmq-server=wontfix,ope |r=new |nstack-11/rabbitmq-server=w | |ontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1448336
Siddharth Sharma sisharma@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0329,reported=20170422,sour |0329,reported=20170422,sour |ce=gentoo,cvss3=6.1/CVSS:3. |ce=gentoo,cvss3=6.1/CVSS:3. |0/AV:N/AC:L/PR:N/UI:R/S:C/C |0/AV:N/AC:L/PR:N/UI:R/S:C/C |:L/I:L/A:N,cwe=CWE-79,fedor |:L/I:L/A:N,cwe=CWE-79,fedor |a-24/rabbitmq-server=affect |a-24/rabbitmq-server=affect |ed,fedora-25/rabbitmq-serve |ed,fedora-25/rabbitmq-serve |r=notaffected,epel-all/rabb |r=notaffected,epel-all/rabb |itmq-server=affected,rhscon |itmq-server=affected,rhscon |-2/rabbitmq-server=new,open |-2/rabbitmq-server=wontfix, |stack-5/rabbitmq-server=won |openstack-5/rabbitmq-server |tfix,openstack-6/rabbitmq-s |=wontfix,openstack-6/rabbit |erver=wontfix,openstack-7/r |mq-server=wontfix,openstack |abbitmq-server=wontfix,open |-7/rabbitmq-server=wontfix, |stack-8/rabbitmq-server=won |openstack-8/rabbitmq-server |tfix,openstack-9/rabbitmq-s |=wontfix,openstack-9/rabbit |erver=wontfix,openstack-10/ |mq-server=wontfix,openstack |rabbitmq-server=wontfix,ope |-10/rabbitmq-server=wontfix |nstack-11/rabbitmq-server=w |,openstack-11/rabbitmq-serv |ontfix |er=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1448336
--- Comment #3 from Summer Long slong@redhat.com --- Statement:
This issue affects rabbitmq-server plugins as shipped with: * Red Hat Storage Console 2 * Red Hat Enterprise Linux OpenStack Platform 5,6,7 * Red Hat OpenStack Platform 8,9,10,11 Although RabbitMQ plugins are shipped in these products, no plugins are enabled or used by default. To verify your environment's plugin usage, run: # rabbitmq-plugins list
A future update may address this issue. Red Hat Product Security has rated this issue as having a security impact of Moderate. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1448336
--- Comment #4 from Adam Mariš amaris@redhat.com --- Statement:
This issue affects rabbitmq-server plugins as shipped with: * Red Hat Storage Console 2 * Red Hat Enterprise Linux OpenStack Platform 5,6,7 * Red Hat OpenStack Platform 8,9,10,11 Although RabbitMQ plugins are shipped in these products, no plugins are enabled or used by default. To verify your environment's plugin usage, run: # rabbitmq-plugins list
A future update may address this issue. Red Hat Product Security has rated this issue as having Moderate security impact. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1448336
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |slong@redhat.com Resolution|--- |WONTFIX Last Closed| |2017-07-02 20:55:35
https://bugzilla.redhat.com/show_bug.cgi?id=1448336 Bug 1448336 depends on bug 1448339, which changed state.
Bug 1448339 Summary: CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 rabbitmq-server: various flaws [fedora-24] https://bugzilla.redhat.com/show_bug.cgi?id=1448339
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA
erlang@lists.fedoraproject.org