cnvd - cnvd-2017-08190

cnvd-2017-08190

Vulnerability from cnvd

Title: Pivotal RabbitMQ产品跨站脚本漏洞

Description:

Pivotal RabbitMQ和RabbitMQ for PCF都是美国Pivotal Software公司的产品。前者是一套实现了高级消息队列协议（AMQP）的开源消息代理软件，后者是一款开源的用于支持基于全局数据传送和高容量的数据监测的消息服务器。

Pivotal RabbitMQ和Pivotal RabbitMQ for PCF中存在跨站脚本漏洞，该漏洞源于程序未能正确的过滤用户提交的输入。攻击者可利用该漏洞在浏览器中执行任意的脚本代码。

Severity: 高

Patch Name: Pivotal RabbitMQ产品跨站脚本漏洞的补丁

Patch Description:

Pivotal RabbitMQ和Pivotal RabbitMQ for PCF中存在跨站脚本漏洞，该漏洞源于程序未能正确的过滤用户提交的输入。攻击者可利用该漏洞在浏览器中执行任意的脚本代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下厂商提供的安全补丁以修复该漏洞： http://www.pivota.com

Reference: http://www.securityfocus.com/bid/98394

Impacted products

Name
['Pivotal RabbitMQ for PCF 1.6.12', 'Pivotal RabbitMQ for PCF 1.6.4', 'Pivotal RabbitMQ for PCF 1.6.3', 'Pivotal RabbitMQ for PCF 1.6.2', 'Pivotal RabbitMQ for PCF 1.6.1', 'Pivotal RabbitMQ for PCF 1.6', 'Pivotal RabbitMQ for PCF 1.5.20', 'Pivotal RabbitMQ for PCF 1.5', 'Pivotal RabbitMQ 3.6.6', 'Pivotal RabbitMQ 3.6', 'Pivotal RabbitMQ 3.5', 'Pivotal RabbitMQ 3.4', 'Pivotal RabbitMQ for PCF 1.7.7', 'Pivotal RabbitMQ for PCF 1.7']

Name

['Pivotal RabbitMQ for PCF 1.6.12', 'Pivotal RabbitMQ for PCF 1.6.4', 'Pivotal RabbitMQ for PCF 1.6.3', 'Pivotal RabbitMQ for PCF 1.6.2', 'Pivotal RabbitMQ for PCF 1.6.1', 'Pivotal RabbitMQ for PCF 1.6', 'Pivotal RabbitMQ for PCF 1.5.20', 'Pivotal RabbitMQ for PCF 1.5', 'Pivotal RabbitMQ 3.6.6', 'Pivotal RabbitMQ 3.6', 'Pivotal RabbitMQ 3.5', 'Pivotal RabbitMQ 3.4', 'Pivotal RabbitMQ for PCF 1.7.7', 'Pivotal RabbitMQ for PCF 1.7']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "98394"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-4965"
    }
  },
  "description": "Pivotal RabbitMQ\u548cRabbitMQ for PCF\u90fd\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4ea7\u54c1\u3002\u524d\u8005\u662f\u4e00\u5957\u5b9e\u73b0\u4e86\u9ad8\u7ea7\u6d88\u606f\u961f\u5217\u534f\u8bae\uff08AMQP\uff09\u7684\u5f00\u6e90\u6d88\u606f\u4ee3\u7406\u8f6f\u4ef6\uff0c\u540e\u8005\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u7528\u4e8e\u652f\u6301\u57fa\u4e8e\u5168\u5c40\u6570\u636e\u4f20\u9001\u548c\u9ad8\u5bb9\u91cf\u7684\u6570\u636e\u76d1\u6d4b\u7684\u6d88\u606f\u670d\u52a1\u5668\u3002\r\n\r\nPivotal RabbitMQ\u548cPivotal RabbitMQ for PCF\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u7684\u811a\u672c\u4ee3\u7801\u3002",
  "discovererName": "GE Digital Security Team and by Brandon Williams from Early Warning",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://www.pivota.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-08190",
  "openTime": "2017-06-05",
  "patchDescription": "Pivotal RabbitMQ\u548cRabbitMQ for PCF\u90fd\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4ea7\u54c1\u3002\u524d\u8005\u662f\u4e00\u5957\u5b9e\u73b0\u4e86\u9ad8\u7ea7\u6d88\u606f\u961f\u5217\u534f\u8bae\uff08AMQP\uff09\u7684\u5f00\u6e90\u6d88\u606f\u4ee3\u7406\u8f6f\u4ef6\uff0c\u540e\u8005\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u7528\u4e8e\u652f\u6301\u57fa\u4e8e\u5168\u5c40\u6570\u636e\u4f20\u9001\u548c\u9ad8\u5bb9\u91cf\u7684\u6570\u636e\u76d1\u6d4b\u7684\u6d88\u606f\u670d\u52a1\u5668\u3002\r\n\r\nPivotal RabbitMQ\u548cPivotal RabbitMQ for PCF\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u7684\u811a\u672c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Pivotal RabbitMQ\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Pivotal RabbitMQ for PCF 1.6.12",
      "Pivotal RabbitMQ for PCF 1.6.4",
      "Pivotal RabbitMQ for PCF 1.6.3",
      "Pivotal RabbitMQ for PCF 1.6.2",
      "Pivotal RabbitMQ for PCF 1.6.1",
      "Pivotal RabbitMQ for PCF 1.6",
      "Pivotal RabbitMQ for PCF 1.5.20",
      "Pivotal RabbitMQ for PCF 1.5",
      "Pivotal RabbitMQ 3.6.6",
      "Pivotal RabbitMQ 3.6",
      "Pivotal RabbitMQ 3.5",
      "Pivotal RabbitMQ 3.4",
      "Pivotal RabbitMQ for PCF 1.7.7",
      "Pivotal RabbitMQ for PCF  1.7"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/98394",
  "serverity": "\u9ad8",
  "submitTime": "2017-05-20",
  "title": "Pivotal RabbitMQ\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2017-4965 (GCVE-0-2017-4965)

Vulnerability from cvelistv5

Published

2017-06-13 06:00

Modified

2024-08-05 14:47

Severity ?

CWE

XSS vulnerabilities in RabbitMQ management UI

Summary

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/98394	vdb-entry, x_refsource_BID
	https://pivotal.io/security/cve-2017-4965	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	Pivotal RabbitMQ	Version: Pivotal RabbitMQ

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:47:43.344Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "98394",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/98394"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pivotal.io/security/cve-2017-4965"
          },
          {
            "name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pivotal RabbitMQ",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Pivotal RabbitMQ"
            }
          ]
        }
      ],
      "datePublic": "2017-06-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "XSS vulnerabilities in RabbitMQ management UI",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-19T19:06:16",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "98394",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/98394"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pivotal.io/security/cve-2017-4965"
        },
        {
          "name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@dell.com",
          "ID": "CVE-2017-4965",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Pivotal RabbitMQ",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Pivotal RabbitMQ"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "XSS vulnerabilities in RabbitMQ management UI"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "98394",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/98394"
            },
            {
              "name": "https://pivotal.io/security/cve-2017-4965",
              "refsource": "CONFIRM",
              "url": "https://pivotal.io/security/cve-2017-4965"
            },
            {
              "name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2017-4965",
    "datePublished": "2017-06-13T06:00:00",
    "dateReserved": "2016-12-29T00:00:00",
    "dateUpdated": "2024-08-05T14:47:43.344Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted