Arch Linux Security Advisory ASA-202107-17 ========================================== Severity: Low Date : 2021-07-06 CVE-ID : CVE-2021-32718 CVE-2021-32719 Package : rabbitmq Type : cross-site scripting Remote : Yes Link : https://security.archlinux.org/AVG-2109 Summary ======= The package rabbitmq before version 3.8.19-1 is vulnerable to cross- site scripting. Resolution ========== Upgrade to 3.8.19-1. # pacman -Syu "rabbitmq>=3.8.19-1" The problems have been fixed upstream in version 3.8.19. Workaround ========== As a workaround, disable the rabbitmq_management plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring. Description =========== - CVE-2021-32718 (cross-site scripting) In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper <script> tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). - CVE-2021-32719 (cross-site scripting) In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the rabbitmq_federation_management plugin, its consumer tag was rendered without proper <script> tag sanitization, potentially allowing for JavaScript code execution in the context of the page. Impact ====== Crafted user banes and federation links could be used to inject arbitrary JavaScript code into the management web UI. References ========== https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg... https://github.com/rabbitmq/rabbitmq-server/pull/3028 https://github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c24... https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hx... https://github.com/rabbitmq/rabbitmq-server/pull/3122 https://github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece28... https://security.archlinux.org/CVE-2021-32718 https://security.archlinux.org/CVE-2021-32719