Arch Linux 803 Published by

A rabbitmq security update has been released for Arch Linux.



ASA-202107-17: rabbitmq: cross-site scripting


Arch Linux Security Advisory ASA-202107-17
=========================================
Severity: Low
Date : 2021-07-06
CVE-ID : CVE-2021-32718 CVE-2021-32719
Package : rabbitmq
Type : cross-site scripting
Remote : Yes
Link :   https://security.archlinux.org/AVG-2109

Summary
======
The package rabbitmq before version 3.8.19-1 is vulnerable to cross-
site scripting.

Resolution
=========
Upgrade to 3.8.19-1.

# pacman -Syu "rabbitmq>=3.8.19-1"

The problems have been fixed upstream in version 3.8.19.

Workaround
=========
As a workaround, disable the rabbitmq_management plugin and use CLI
tools for management operations and Prometheus and Grafana for metrics
and monitoring.

Description
==========
- CVE-2021-32718 (cross-site scripting)

In rabbitmq-server prior to version 3.8.17, a new user being added via
management UI could lead to the user's bane being rendered in a
confirmation message without proper tag sanitization,
potentially allowing for JavaScript code execution in the context of
the page. In order for this to occur, the user must be signed in and
have elevated permissions (other user management).

- CVE-2021-32719 (cross-site scripting)

In rabbitmq-server prior to version 3.8.18, when a federation link was
displayed in the RabbitMQ management UI via the
rabbitmq_federation_management plugin, its consumer tag was rendered
without proper tag sanitization, potentially allowing for
JavaScript code execution in the context of the page.

Impact
=====
Crafted user banes and federation links could be used to inject
arbitrary JavaScript code into the management web UI.

References
=========
  https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772
  https://github.com/rabbitmq/rabbitmq-server/pull/3028
  https://github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c245094d8022e81299
  https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x
  https://github.com/rabbitmq/rabbitmq-server/pull/3122
  https://github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece2800cd80971e2bd05
  https://security.archlinux.org/CVE-2021-32718
  https://security.archlinux.org/CVE-2021-32719