CVE-2017-4966

Priority
Description
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x
versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these
RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to
1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores
signed-in user credentials in a browser's local storage without expiration,
making it possible to retrieve them using a chained attack.
Notes
Package
Upstream:released (3.6.9)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (3.6.10-1)
Ubuntu 19.04 (Disco Dingo):not-affected (3.6.10-1)
Ubuntu 19.10 (Eoan):not-affected (3.6.10-1)
Patches:
Upstream:https://github.com/rabbitmq/rabbitmq-management/commit/2371633f99ad0d293899384f078872ff9e9f3e10
More Information

Updated: 2019-10-18 02:33:21 UTC (commit cccfc4426d8c1fbf582a89d981fe7fc812124543)