CVE-2019-11291

Summary

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Affected Software

VendorProductVersion RangeStatus
PivotalRabbitMQ3.8 < v3.8.1affected
PivotalRabbitMQ3.7 < v3.7.20affected
PivotalRabbitMQ for Pivotal Platform1.17 < 1.17.4affected
PivotalRabbitMQ for Pivotal Platform1.16 < 1.16.7affected

Weaknesses

  • CWE-79: CWE-79: Cross-site Scripting (XSS) - Generic

ADP Enrichment

CVE Program Container

Additional References

References