CVE-2017-4966

Name of the Vulnerable Software and Affected Versions RabbitMQ versions 3.4.x through 3.5.x and 3.6.x versions prior to 3.6.9 RabbitMQ for PCF versions 1.5.x and 1.6.x versions prior to 1.6.18 and 1.7.x versions prior to 1.7.15

Description The issue is related to the disclosure of information. It was discovered that the RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration. This makes it possible to retrieve them using a chained attack.

Recommendations For RabbitMQ versions 3.4.x through 3.5.x, update to version 3.6.9 or later to resolve the issue. For RabbitMQ 3.6.x versions prior to 3.6.9, update to version 3.6.9 or later to resolve the issue. For RabbitMQ for PCF versions 1.5.x, update to version 1.6.18 or later to resolve the issue. For RabbitMQ for PCF versions 1.6.x prior to 1.6.18, update to version 1.6.18 or later to resolve the issue. For RabbitMQ for PCF versions 1.7.x prior to 1.7.15, update to version 1.7.15 or later to resolve the issue. As a temporary workaround, consider clearing the browser's local storage to remove stored credentials until a patch is applied.