CVE-2017-4966

Priority
Description
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x
versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these
RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to
1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores
signed-in user credentials in a browser's local storage without expiration,
making it possible to retrieve them using a chained attack.
Notes
Package
Upstream:released (3.6.9)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (3.6.10-1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (3.6.10-1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (3.6.10-1)
Patches:
Upstream:https://github.com/rabbitmq/rabbitmq-management/commit/2371633f99ad0d293899384f078872ff9e9f3e10
More Information

Updated: 2020-09-09 21:33:50 UTC (commit b67d7d8b03f173f825cd706df5bd078bca500b0e)