SB2015012707 - Multiple vulnerabilities in Pivotal RabbitMQ 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2015012707

SB2015012707 - Multiple vulnerabilities in Pivotal RabbitMQ

Published: January 27, 2015 Updated: August 19, 2020

Security Bulletin ID SB2015012707
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2014-9650)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions. 


2) Cross-site scripting (CVE-ID: CVE-2014-9649)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 when processing path info to api/, which is not properly handled in an error message. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References