CVE-2017-4966: RabbitMQ local storage of credentials
RabbitMQ management UI stores signed in user credentials in browser’s local storage without expiration, making it possible to retrieve them using a chained attack.
Severity is medium unless otherwise noted.
- Pivotal RabbitMQ versions:
- All 3.4.x versions
- All 3.5.x versions
- 3.6.x versions prior to 3.6.9
- RabbitMQ for PCF versions:
- All 1.5.x versions
- 1.6.x versions prior to 1.6.18
- 1.7.x versions prior to 1.7.15
- Please note: RabbitMQ for PCF 1.8.x versions are not vulnerable to this issue.
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal RabbitMQ: 3.6.9
- RabbitMQ for PCF: 1.6.18, 1.7.15
- Please note: Users of RabbitMQ for PCF versions 1.5.x or lower should upgrade to 1.6.18 or later.
These issues were responsibly reported by the GE Digital Security Team.
2017-05-04: Initial vulnerability report published