Our team would like to thank Christian Rellmann from usd AG for responsibly disclosing
the vulnerability and helping us verify a fix.
Impact
When a new user was added via management UI, its name was rendered in a confirmation
message without proper <script> tag sanitization, potentially allowing for JavaScript code
execution in the context of the page.
The user must be signed in and have elevated permissions (other user management).
Patches
Workarounds
Disable rabbitmq_management plugin and use CLI tools for management operations
and Prometheus and Grafana for metrics and monitoring.
References
None.
For more information
If you have any questions or comments about this advisory, please contact security@rabbitmq.com.
Our team would like to thank Christian Rellmann from usd AG for responsibly disclosing
the vulnerability and helping us verify a fix.
Impact
When a new user was added via management UI, its name was rendered in a confirmation
message without proper
<script>tag sanitization, potentially allowing for JavaScript codeexecution in the context of the page.
The user must be signed in and have elevated permissions (other user management).
Patches
3.8.17or a later version.Workarounds
Disable
rabbitmq_managementplugin and use CLI tools for management operationsand Prometheus and Grafana for metrics and monitoring.
References
None.
For more information
If you have any questions or comments about this advisory, please contact
security@rabbitmq.com.