CVE-2019-11291

Name of the Vulnerable Software and Affected Versions Pivotal RabbitMQ versions prior to 3.7.20 Pivotal RabbitMQ version 3.8 prior to 3.8.1 RabbitMQ for PCF versions 1.16.x prior to 1.16.7 RabbitMQ for PCF versions 1.17.x prior to 1.17.4

Description The issue is related to the improper sanitization of user input in the federation and shovel endpoints, which could allow a remote authenticated malicious user with administrative access to craft a cross-site scripting attack. This attack could potentially grant access to virtual hosts and policy management information via the vhost or node name fields. The vulnerability may also impact the integrity of data.

Recommendations For Pivotal RabbitMQ versions prior to 3.7.20, update to version 3.7.20 or later. For Pivotal RabbitMQ version 3.8 prior to 3.8.1, update to version 3.8.1 or later. For RabbitMQ for PCF versions 1.16.x prior to 1.16.7, update to version 1.16.7 or later. For RabbitMQ for PCF versions 1.17.x prior to 1.17.4, update to version 1.17.4 or later. As a temporary workaround, consider restricting access to the federation and shovel endpoints until a patch is available.