Vulnerability CVE-2015-0862

Vulnerability Name:

CVE-2015-0862 (CCN-100241)

Assigned:

2015-01-08

Published:

2015-01-08

Updated:

2015-01-20

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content.

CVSS v3 Severity:

2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2015-0862

Source: CCN
Type: RabbitMQ Web site
Security issues in RabbitMQ management plugin (3.4.2 or lower) [CVE-2015-0862]

Source: CONFIRM
Type: Vendor Advisory
http://www.rabbitmq.com/news.html#2015-01-08T10:14:05+0100

Source: CCN
Type: BID-72724
RabbitMQ Management Plugin CVE-2015-0862 Multiple Cross Site Scripting Vulnerabilities

Source: XF
Type: UNKNOWN
rabbitmq-cve20150862-xss(100241)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-0862

Vulnerable Configuration:

Configuration 1:

cpe:/a:pivotal_software:rabbitmq_management:*:*:*:*:*:*:*:* (Version <= 3.4.2)

Configuration CCN 1:

cpe:/a:pivotal_software:rabbitmq:3.4.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20150862	V	CVE-2015-0862	2022-09-02
oval:org.opensuse.security:def:3475	P	dovecot22-2.2.31-19.17.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95105	P	erlang-rabbitmq-client-3.8.11-3.3.3 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:112197	P	erlang-rabbitmq-client-3.5.4-1.4 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:94203	P	(Important)	2021-12-06
oval:org.opensuse.security:def:55253	P	Security update for glibc (Moderate)	2021-10-06
oval:org.opensuse.security:def:105728	P	erlang-rabbitmq-client-3.5.4-1.4 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:55936	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:63326	P	erlang-rabbitmq-client-3.8.11-1.26 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2237	P	erlang-rabbitmq-client-3.8.11-1.26 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:100916	P	libidn2-0-2.2.0-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:66872	P	Security update for libvirt (Moderate)	2021-07-27
oval:org.opensuse.security:def:1616	P	Security update for apache2 (Important)	2021-06-22
oval:org.opensuse.security:def:70228	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:66780	P	Security update for djvulibre (Important)	2021-05-19
oval:org.opensuse.security:def:73445	P	Security update for perl-Convert-ASN1 (Moderate)	2021-01-21
oval:org.opensuse.security:def:63261	P	erlang-rabbitmq-client-3.8.3-1.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107582	P	erlang-rabbitmq-client-3.8.3-1.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2172	P	erlang-rabbitmq-client-3.8.3-1.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:73563	P	Security update for xen (Important)	2020-12-03
oval:org.opensuse.security:def:117140	P	erlang-rabbitmq-client-3.8.3-1.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:55770	P	Security update for gdm (Important)	2020-12-03
oval:org.opensuse.security:def:56421	P	Security update for libical (Moderate)	2020-12-01
oval:org.opensuse.security:def:55090	P	dbus-1-glib on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:70123	P	libvdpau-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56495	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:55491	P	Security update for tcpdump (Moderate)	2020-12-01
oval:org.opensuse.security:def:56221	P	Security update for binutils (Moderate)	2020-12-01
oval:org.opensuse.security:def:55091	P	dhcp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56533	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:55664	P	Security update for ecryptfs-utils (Moderate)	2020-12-01
oval:org.opensuse.security:def:50003	P	gtk-vnc-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56329	P	Security update for openvpn (Important)	2020-12-01
oval:org.opensuse.security:def:55113	P	gd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50057	P	erlang-rabbitmq-client on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56614	P	Security update for soundtouch (Moderate)	2020-12-01
oval:com.ubuntu.cosmic:def:201508620000000	V	CVE-2015-0862 on Ubuntu 18.10 (cosmic) - negligible.	2015-01-18
oval:com.ubuntu.artful:def:20150862000	V	CVE-2015-0862 on Ubuntu 17.10 (artful) - negligible.	2015-01-18
oval:com.ubuntu.trusty:def:20150862000	V	CVE-2015-0862 on Ubuntu 14.04 LTS (trusty) - negligible.	2015-01-18
oval:com.ubuntu.bionic:def:201508620000000	V	CVE-2015-0862 on Ubuntu 18.04 LTS (bionic) - negligible.	2015-01-18
oval:com.ubuntu.bionic:def:20150862000	V	CVE-2015-0862 on Ubuntu 18.04 LTS (bionic) - negligible.	2015-01-18
oval:com.ubuntu.xenial:def:20150862000	V	CVE-2015-0862 on Ubuntu 16.04 LTS (xenial) - negligible.	2015-01-18
oval:com.ubuntu.xenial:def:201508620000000	V	CVE-2015-0862 on Ubuntu 16.04 LTS (xenial) - negligible.	2015-01-18
oval:com.ubuntu.cosmic:def:20150862000	V	CVE-2015-0862 on Ubuntu 18.10 (cosmic) - negligible.	2015-01-18
oval:com.ubuntu.disco:def:201508620000000	V	CVE-2015-0862 on Ubuntu 19.04 (disco) - negligible.	2015-01-18
oval:com.ubuntu.precise:def:20150862000	V	CVE-2015-0862 on Ubuntu 12.04 LTS (precise) - low.	2015-01-18

BACK