CVE-2021-32719 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-32719 Interim 1 23 2023-09-08T23:43:27Z current 2021-07-01T00:49:16Z 2023-09-08T23:43:27Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-32719 RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2021-September/009519.html E-Mail link for SUSE-SU-2021:3254-1 https://lists.suse.com/pipermail/sle-security-updates/2021-October/009557.html E-Mail link for SUSE-SU-2021:3325-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FWIIK75CV5Y6TWUXN67IYXFNHIHRZSXN/ E-Mail link for openSUSE-SU-2021:1334-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7NL4I6R5WB6N3LAJGL2UC3TXXGKBNRLE/ E-Mail link for openSUSE-SU-2021:3325-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP5 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP5 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP5 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 openSUSE Leap 15.2 openSUSE Leap 15.3 erlang-rabbitmq-client-3.8.11-3.3.3 erlang-rabbitmq-client-3.8.3-3.3.4 erlang-rabbitmq-client-3.8.3-lp152.2.3.1 rabbitmq-server-3.8.11-3.3.3 rabbitmq-server-3.8.3-3.3.4 rabbitmq-server-3.8.3-lp152.2.3.1 rabbitmq-server-plugins-3.8.11-3.3.3 rabbitmq-server-plugins-3.8.3-3.3.4 rabbitmq-server-plugins-3.8.3-lp152.2.3.1 erlang-rabbitmq-client-3.8.3-3.3.4 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 rabbitmq-server-3.8.3-3.3.4 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 rabbitmq-server-plugins-3.8.3-3.3.4 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 erlang-rabbitmq-client-3.8.11-3.3.3 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP3 rabbitmq-server-3.8.11-3.3.3 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP3 rabbitmq-server-plugins-3.8.11-3.3.3 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP3 erlang-rabbitmq-client-3.8.11-3.3.3 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 rabbitmq-server-3.8.11-3.3.3 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 rabbitmq-server-plugins-3.8.11-3.3.3 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 erlang-rabbitmq-client-3.8.11-3.3.3 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP5 rabbitmq-server-3.8.11-3.3.3 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP5 rabbitmq-server-plugins-3.8.11-3.3.3 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP5 erlang-rabbitmq-client-3.8.3-lp152.2.3.1 as a component of openSUSE Leap 15.2 rabbitmq-server-3.8.3-lp152.2.3.1 as a component of openSUSE Leap 15.2 rabbitmq-server-plugins-3.8.3-lp152.2.3.1 as a component of openSUSE Leap 15.2 erlang-rabbitmq-client-3.8.11-3.3.3 as a component of openSUSE Leap 15.3 rabbitmq-server-3.8.11-3.3.3 as a component of openSUSE Leap 15.3 rabbitmq-server-plugins-3.8.11-3.3.3 as a component of openSUSE Leap 15.3 RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead. CVE-2021-32719 SUSE Linux Enterprise Module for Server Applications 15 SP2:erlang-rabbitmq-client-3.8.3-3.3.4 SUSE Linux Enterprise Module for Server Applications 15 SP2:rabbitmq-server-3.8.3-3.3.4 SUSE Linux Enterprise Module for Server Applications 15 SP2:rabbitmq-server-plugins-3.8.3-3.3.4 SUSE Linux Enterprise Module for Server Applications 15 SP3:erlang-rabbitmq-client-3.8.11-3.3.3 SUSE Linux Enterprise Module for Server Applications 15 SP3:rabbitmq-server-3.8.11-3.3.3 SUSE Linux Enterprise Module for Server Applications 15 SP3:rabbitmq-server-plugins-3.8.11-3.3.3 SUSE Linux Enterprise Module for Server Applications 15 SP4:erlang-rabbitmq-client-3.8.11-3.3.3 SUSE Linux Enterprise Module for Server Applications 15 SP4:rabbitmq-server-3.8.11-3.3.3 SUSE Linux Enterprise Module for Server Applications 15 SP4:rabbitmq-server-plugins-3.8.11-3.3.3 SUSE Linux Enterprise Module for Server Applications 15 SP5:erlang-rabbitmq-client-3.8.11-3.3.3 SUSE Linux Enterprise Module for Server Applications 15 SP5:rabbitmq-server-3.8.11-3.3.3 SUSE Linux Enterprise Module for Server Applications 15 SP5:rabbitmq-server-plugins-3.8.11-3.3.3 openSUSE Leap 15.2:erlang-rabbitmq-client-3.8.3-lp152.2.3.1 openSUSE Leap 15.2:rabbitmq-server-3.8.3-lp152.2.3.1 openSUSE Leap 15.2:rabbitmq-server-plugins-3.8.3-lp152.2.3.1 openSUSE Leap 15.3:erlang-rabbitmq-client-3.8.11-3.3.3 openSUSE Leap 15.3:rabbitmq-server-3.8.11-3.3.3 openSUSE Leap 15.3:rabbitmq-server-plugins-3.8.11-3.3.3 low 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N