Debian LTS: Security Advisory for rabbitmq-server (DLA-2710-1)

The remote host is missing an update for the 'rabbitmq-server' package(s) announced via the DLA-2710-1 advisory.

Several vulnerabilities were discovered in rabbitmq-server, a message-broker software. CVE-2017-4965 Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. CVE-2017-4966 RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack CVE-2017-4967 Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. CVE-2019-11281 The virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information CVE-2019-11287 The 'X-Reason' HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. CVE-2021-22116 A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance.

'rabbitmq-server' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For Debian 9 stretch, these problems have been fixed in version 3.6.6-1+deb9u1. We recommend that you upgrade your rabbitmq-server packages.