Candidate: CVE-2021-32718
PublicDate: 2021-06-28 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32718
 https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772
 https://github.com/rabbitmq/rabbitmq-server/pull/3028
Description:
 RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to
 version 3.8.17, a new user being added via management UI could lead to the
 user's bane being rendered in a confirmation message without proper
 `<script>` tag sanitization, potentially allowing for JavaScript code
 execution in the context of the page. In order for this to occur, the user
 must be signed in and have elevated permissions (other user management).
 The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable
 `rabbitmq_management` plugin and use CLI tools for management operations
 and Prometheus and Grafana for metrics and monitoring.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by: Christian Rellmann
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N [5.4 MEDIUM]


Patches_rabbitmq-server:
 upstream: https://github.com/rabbitmq/rabbitmq-server/pull/3028
upstream_rabbitmq-server: released (3.8.17,3.9.4-1)
trusty_rabbitmq-server: ignored (out of standard support)
trusty/esm_rabbitmq-server: DNE
xenial_rabbitmq-server: ignored (out of standard support)
esm-infra/xenial_rabbitmq-server: needed
bionic_rabbitmq-server: needed
focal_rabbitmq-server: needed
groovy_rabbitmq-server: ignored (reached end-of-life)
hirsute_rabbitmq-server: ignored (reached end-of-life)
impish_rabbitmq-server: needed
jammy_rabbitmq-server: not-affected (3.9.8-6)
devel_rabbitmq-server: not-affected (3.9.8-6)