CVE-2019-11291 LOW

CVE-2019-11291: RabbitMQ XSS attack via federation and shovel endpoints

Vendor Pivotal

Product RabbitMQ

Weakness CWE-79 · XSS

Published November 22, 2019

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

3.1/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Key dates

02Disclosure timeline

November 22, 2019 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-11291 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2019-11291

CWE CWE-79

CVSS 3.1 / LOW

Affected versions

Vendor Pivotal

Product RabbitMQ

Affected ≥ 3.8 and < v3.8.1

Vendor Pivotal

Product RabbitMQ

Affected ≥ 3.7 and < v3.7.20

Vendor Pivotal

Product RabbitMQ for Pivotal Platform

Affected ≥ 1.17 and < 1.17.4

Vendor Pivotal

Product RabbitMQ for Pivotal Platform

Affected ≥ 1.16 and < 1.16.7

CVE-2019-11291: RabbitMQ XSS attack via federation and shovel endpoints

01Description

02Disclosure timeline

03References

04Related CVE