CVE-2019-11291

MEDIUM

RabbitMQ 3.7.0-3.7.19 and 3.8.0 - Authenticated Cross-Site Scripting via Federation and Shovel Endpoints

Title source: llm

Description

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://pivotal.io/security/cve-2019-11291

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0553

Scores

CVSS v3 4.8

EPSS 0.0048

EPSS Percentile 65.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (5)

broadcom/rabbitmq_server 3.8.0

broadcom/rabbitmq_server 3.7.0 - 3.7.20

Hex/rabbit_common 3.7.0 - 3.7.20Hex

redhat/openstack 15

vmware/rabbitmq 1.16.0 - 1.16.7

Published Nov 22, 2019

Tracked Since Feb 18, 2026