[Bug 1185514] New: RabbitMQ: /api/... XSS vulnerability - erlang - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[Bug 1185514] New: RabbitMQ: /api/... XSS vulnerability

Broken dependencies: riak

Broken dependencies: riak

Red Hat Bugzilla

Friday, 23 January 2015 Fri, 23 Jan '15

11:14 p.m.

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Bug ID: 1185514 Summary: RabbitMQ: /api/... XSS vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: kseifried(a)redhat.com CC: abaron(a)redhat.com, aortega(a)redhat.com, apevec(a)redhat.com, ayoung(a)redhat.com, chrisw(a)redhat.com, dallan(a)redhat.com, erlang(a)lists.fedoraproject.org, gkotton(a)redhat.com, hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com, josh(a)fornwall.com, lemenkov(a)gmail.com, lhh(a)redhat.com, lpeer(a)redhat.com, markmc(a)redhat.com, pmyers(a)redhat.com, rbryant(a)redhat.com, rjones(a)redhat.com, s(a)shk.io, sclewis(a)redhat.com, yeylon(a)redhat.com 26437 prevent /api/* from returning text/html error messages which could act as an XSS vector (since 2.1.0) Bug 26437 allowed an attacker to create a URL to "/api/..." which would provoke an internal server error, resulting in the server returning an html page with text from the URL embedded and not escaped. This was fixed by ensuring all URLs below /api/ only ever return responses with a content type of application/json, even in the case of an internal server error. Upstream patches: http://hg.rabbitmq.com/rabbitmq-web-dispatch/rev/caf3d0a80cf3 References: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Show replies by date

Red Hat Bugzilla

Friday, 23 January Fri, 23 Jan

11:14 p.m.

New subject: [Bug 1185514] RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Kurt Seifried <kseifried(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1185513 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

11:15 p.m.

New subject: [Bug 1185514] RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Kurt Seifried <kseifried(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=new,e |a-all/rabbitmq-server=affec |pel-all/rabbitmq-server=new |ted,epel-all/rabbitmq-serve |,openstack-5-rhel6/rabbitmq |r=affected,openstack-5-rhel |-server=new,openstack-5-rhe |6/rabbitmq-server=new,opens |l7/rabbitmq-server=new,open |tack-5-rhel7/rabbitmq-serve |stack-6/rabbitmq-server=new |r=new,openstack-6/rabbitmq- | |server=new -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

11:16 p.m.

New subject: [Bug 1185514] RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Kurt Seifried <kseifried(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1185516 Depends On| |1185517 --- Comment #1 from Kurt Seifried <kseifried(a)redhat.com> --- Created rabbitmq-server tracking bugs for this issue: Affects: fedora-all [bug 1185516] Affects: epel-all [bug 1185517] Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1185516 [Bug 1185516] rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1185517 [Bug 1185517] rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [epel-all] -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Tuesday, 27 January Tue, 27 Jan

1:02 p.m.

New subject: [Bug 1185514] RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Kurt Seifried <kseifried(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2014-9649 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

1:03 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Kurt Seifried <kseifried(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|RabbitMQ: /api/... XSS |CVE-2014-9649 RabbitMQ: |vulnerability |/api/... XSS vulnerability -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Monday, 2 February Mon, 2 Feb

11:42 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Garth Mollett <gmollett(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gmollett(a)redhat.com Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5-rhel |r=affected,openstack-5-rhel |6/rabbitmq-server=new,opens |6/rabbitmq-server=affected, |tack-5-rhel7/rabbitmq-serve |openstack-5-rhel7/rabbitmq- |r=new,openstack-6/rabbitmq- |server=affected,openstack-6 |server=new |/rabbitmq-server=affected -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Monday, 27 July Mon, 27 Jul

10:20 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Garth Mollett <gmollett(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5-rhel |r=affected,openstack-5/rabb |6/rabbitmq-server=affected, |itmq-server=defer,openstack |openstack-5-rhel7/rabbitmq- |-6/rabbitmq-server=defer |server=affected,openstack-6 | |/rabbitmq-server=affected | -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Friday, 23 October Fri, 23 Oct

4:17 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Peter Lemenkov <plemenko(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |plemenko(a)redhat.com Fixed In Version| |rabbitmq-server-3.5.1-1.fc2 | |2 Resolution|--- |ERRATA Last Closed| |2015-10-23 17:17:49 --- Comment #2 from Peter Lemenkov <plemenko(a)redhat.com> --- Both this and corresponding bug 1185515 were addressed in RabbitMQ 3.4.1. We already ship ver. 3.5.x, so this issue is already fixed in Fedora 22+. As for Fedora 21 users, we strongly advise users to upgrade to F22 or to the upcoming F23. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

4:21 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Bug 1185514 depends on bug 1185516, which changed state. Bug 1185516 Summary: rabbitmq-server: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1185516 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

4:23 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Peter Lemenkov <plemenko(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|ERRATA |--- Keywords| |Reopened --- Comment #3 from Peter Lemenkov <plemenko(a)redhat.com> --- Reopening - unfortunately it still not fixed for EPEL7. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Saturday, 21 November Sat, 21 Nov

8:25 a.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 --- Comment #4 from Fedora Update System <updates(a)fedoraproject.org> --- rabbitmq-server-3.3.5-12.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

8:25 a.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Bug 1185514 depends on bug 1185517, which changed state. Bug 1185517 Summary: rabbitmq-server: various flaws [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1185517 What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Thursday, 4 February Thu, 4 Feb

9:02 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Garth Mollett <gmollett(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5/rabb |r=affected,openstack-5/rabb |itmq-server=defer,openstack |itmq-server=affected,openst |-6/rabbitmq-server=defer |ack-6/rabbitmq-server=affec | |ted -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

9:22 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Garth Mollett <gmollett(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5/rabb |r=affected,openstack-5/rabb |itmq-server=affected,openst |itmq-server=affected,openst |ack-6/rabbitmq-server=affec |ack-6/rabbitmq-server=affec |ted |ted,openstack-7/rabbitmq-se | |rver=affected,openstack-8/r | |abbitmq-server=affected -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

9:25 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Garth Mollett <gmollett(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1304946 Depends On| |1304947 Depends On| |1304948 Depends On| |1304949 Depends On| |1304950 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Tuesday, 23 February Tue, 23 Feb

5:33 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Summer Long <slong(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |slong(a)redhat.com --- Doc Text *updated* --- A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using api/ path info to inject and receive data. A remote attacker could use this flaw to create an "/api/..." URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL (not escaped). -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

5:35 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Summer Long <slong(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(gmollett(a)redhat.c | |om) -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

6:27 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Garth Mollett <gmollett(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(gmollett(a)redhat.c | |om) | -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

7:28 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 --- Comment #8 from Garth Mollett <gmollett(a)redhat.com> --- Acknowledgments: Name: (none) -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Sunday, 28 February Sun, 28 Feb

11:10 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 --- Comment #9 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2016:0308 https://rhn.redhat.com/errata/RHSA-2016-0308.html -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Friday, 4 March Fri, 4 Mar

6:23 a.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Ján Rusnačko <jrusnack(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1029,reported=20150121,sour |1029,reported=20150121,sour |ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/ |AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor |a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec |ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve |r=affected,openstack-5/rabb |r=affected,openstack-5/rabb |itmq-server=affected,openst |itmq-server=affected,openst |ack-6/rabbitmq-server=affec |ack-6/rabbitmq-server=affec |ted,openstack-7/rabbitmq-se |ted,openstack-7/rabbitmq-se |rver=affected,openstack-8/r |rver=affected,openstack-8/r |abbitmq-server=affected |abbitmq-server=affected,cwe | |=CWE-79[auto] -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

Tuesday, 8 March Tue, 8 Mar

2:27 a.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 --- Doc Text *updated* by Martin Prpic <mprpic(a)redhat.com> --- A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using the 'api/' path info to inject and receive data. A remote attacker could use this flaw to create an 'api/' URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL that was not escaped. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

2:32 a.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 --- Doc Text *updated* by Martin Prpic <mprpic(a)redhat.com> --- A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using api/ path info to inject and receive data. A remote attacker could use this flaw to create an "/api/..." URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL (not escaped). -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

4:54 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 --- Comment #10 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:0369 https://rhn.redhat.com/errata/RHSA-2016-0369.html -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

4:55 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 --- Comment #11 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2016:0368 https://rhn.redhat.com/errata/RHSA-2016-0368.html -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

4:55 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 --- Comment #12 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2016:0367 https://rhn.redhat.com/errata/RHSA-2016-0367.html -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Red Hat Bugzilla

5:39 p.m.

New subject: [Bug 1185514] CVE-2014-9649 RabbitMQ: /api/... XSS vulnerability

https://bugzilla.redhat.com/show_bug.cgi?id=1185514 Garth Mollett <gmollett(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed|2015-10-23 17:17:49 |2016-03-08 18:39:57 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

2969

days inactive

3378

days old

erlang@lists.fedoraproject.org

Manage subscription

27 comments

1 participants

tags (0)

participants (1)

Red Hat Bugzilla