CVE-2019-11281

Name of the Vulnerable Software and Affected Versions Pivotal RabbitMQ versions prior to 3.7.18 RabbitMQ for PCF versions 1.15.x prior to 1.15.13 RabbitMQ for PCF versions 1.16.x prior to 1.16.6 RabbitMQ for PCF versions 1.17.x prior to 1.17.3

Description The issue is related to incorrect user input validation in the RabbitMQ message broker. This could allow a remote attacker to impact data integrity. Specifically, the virtual host limits page and the federation management UI do not properly sanitize user input, which could enable a remote authenticated malicious user with administrative access to craft a cross-site scripting attack. This attack could gain access to virtual hosts and policy management information.

Recommendations For Pivotal RabbitMQ versions prior to 3.7.18, update to version 3.7.18 or later. For RabbitMQ for PCF versions 1.15.x prior to 1.15.13, update to version 1.15.13 or later. For RabbitMQ for PCF versions 1.16.x prior to 1.16.6, update to version 1.16.6 or later. For RabbitMQ for PCF versions 1.17.x prior to 1.17.3, update to version 1.17.3 or later. As a temporary workaround, consider restricting access to the virtual host limits page and the federation management UI to minimize the risk of exploitation.