CVE-2017-4966: RabbitMQ local storage of credentials


Severity

Medium

Vendor

Pivotal

Description

RabbitMQ management UI stores signed in user credentials in browser’s local storage without expiration, making it possible to retrieve them using a chained attack.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal RabbitMQ versions:
    • All 3.4.x versions
    • All 3.5.x versions
    • 3.6.x versions prior to 3.6.9
  • RabbitMQ for PCF versions:
    • All 1.5.x versions
    • 1.6.x versions prior to 1.6.18
    • 1.7.x versions prior to 1.7.15
  • Please note: RabbitMQ for PCF 1.8.x versions are not vulnerable to this issue.
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Pivotal RabbitMQ: 3.6.9
    • RabbitMQ for PCF: 1.6.18, 1.7.15
  • Please note: Users of RabbitMQ for PCF versions 1.5.x or lower should upgrade to 1.6.18 or later.
Credit

These issues were responsibly reported by the GE Digital Security Team.

References
History

2017-05-04: Initial vulnerability report published