SB2019112829 - Fedora 31 update for rabbitmq-server 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019112829

SB2019112829 - Fedora 31 update for rabbitmq-server

Published: November 28, 2019 Updated: April 25, 2025

Security Bulletin ID SB2019112829
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2019-11281)

The vulnerability allows a remote privileged user to read and manipulate data.

Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.


2) Input validation error (CVE-ID: CVE-2019-11287)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input passed via the "X-Reason" HTTP Header. A remote attacker can inject a malicious Erlang format string into the "X-Reason" HTTP Header that once expanded will consume the heap, resulting in the server crashing.


Remediation

Install update from vendor's website.

References