CVE-2017-4965 and CVE-2017-4967: XSS vulnerabilities in RabbitMQ management UI
Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
Severity is high unless otherwise noted.
- Pivotal RabbitMQ versions:
- All 3.4.x versions
- All 3.5.x versions
- 3.6.x versions prior to 3.6.9
- RabbitMQ for PCF versions:
- All 1.5.x versions
- 1.6.x versions prior to 1.6.18
- 1.7.x versions prior to 1.7.15
- Please note: RabbitMQ for PCF 1.8.x versions are not vulnerable to this issue.
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal RabbitMQ: 3.6.9
- RabbitMQ for PCF: 1.6.18, 1.7.15
- Please note: Users of RabbitMQ for PCF versions 1.5.x or lower should upgrade to 1.6.18 or later.
These issues were responsibly reported by the GE Digital Security Team and by Brandon Williams from Early Warning.
2017-05-04: Initial vulnerability report published