CVE-2019-11291

EPSS 0.48%
Published 22.11.2019 23:15:11
Last modified 02.04.2025 14:13:43
Source security@pivotal.io
Teams watchlist Login
Open Login

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Broadcom ≫ Rabbitmq Server Version >= 3.7.0 < 3.7.20

Broadcom ≫ Rabbitmq Server Version3.8.0

VMware ≫ Rabbitmq SwPlatformpivotal_cloud_foundry Version >= 1.16.0 < 1.16.7

VMware ≫ Rabbitmq SwPlatformpivotal_cloud_foundry Version >= 1.17.0 < 1.17.4

Redhat ≫ Openstack Version15

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.48%	0.642

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security@pivotal.io	3.1	0.5	2.5	CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://access.redhat.com/errata/RHSA-2020:0553

Third Party Advisory

https://pivotal.io/security/cve-2019-11291

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11291

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11291

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11291

EUVD