Details of VAR-201706-0526

ID

VAR-201706-0526

CVE

CVE-2017-4967

TITLE

Pivotal RabbitMQ Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-004863

DESCRIPTION

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Pivotal RabbitMQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.98

sources: NVD: CVE-2017-4967 // JVNDB: JVNDB-2017-004863 // BID: 98406 // VULMON: CVE-2017-4967

AFFECTED PRODUCTS

vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.19	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.0	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.4	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.2	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.1	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.10	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.6	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.7	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.8	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.3	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.6	Trust: 1.3
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.0	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.4	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.4	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.3	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.6	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.6	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.13	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.12	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.6.7	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.9	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.3	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.0	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.1	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.14	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5.5	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.14	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5.7	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.0	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.10	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.6	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.11	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.15	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.9	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.5	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.1	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5.4	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.5	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.17	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.5	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.4	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.8	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.9	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.10	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.15	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.14	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.7	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.7	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.13	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.18	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.3	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.12	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.5	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.1	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.4	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.3	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.13	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.8	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.0	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.3	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.1	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.16	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	lt	version:	1.7.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.4.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	for pcf 1.6.18	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	for pcf 1.5.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	lt	version:	3.6.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	for pcf 1.7.15	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	lt	version:	1.6.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.9	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.7	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5.8	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.4	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.0	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	ne	version:	3.6.9	Trust: 0.3

sources: BID: 98406 // JVNDB: JVNDB-2017-004863 // CNNVD: CNNVD-201705-1247 // NVD: CVE-2017-4967

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-4967
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-4967
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201705-1247
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2017-4967
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-4967
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2017-4967
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2017-4967
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2017-4967 // JVNDB: JVNDB-2017-004863 // CNNVD: CNNVD-201705-1247 // NVD: CVE-2017-4967

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-004863 // NVD: CVE-2017-4967

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-1247

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201705-1247

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-004863

PATCH

title:	CVE-2017-4965 and CVE-2017-4967: XSS vulnerabilities in RabbitMQ management UI	url:	https://pivotal.io/security/cve-2017-4965	Trust: 0.8
title:	Pivotal RabbitMQ Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70582	Trust: 0.6
title:	Debian CVElist Bug Report Logs: CVE-2017-4965 CVE-2017-4966 CVE-2017-4967	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=6b6ae5ada791d0845be3b03f58e84470	Trust: 0.1
title:	Red Hat: CVE-2017-4967	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2017-4967	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2017-4967	Trust: 0.1
title:	Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2017	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=a31bff03e9909229fd67996884614fdf	Trust: 0.1

sources: VULMON: CVE-2017-4967 // JVNDB: JVNDB-2017-004863 // CNNVD: CNNVD-201705-1247

EXTERNAL IDS

db:	NVD	id:	CVE-2017-4967	Trust: 2.8
db:	JVNDB	id:	JVNDB-2017-004863	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.2432	Trust: 0.6
db:	CNNVD	id:	CNNVD-201705-1247	Trust: 0.6
db:	BID	id:	98406	Trust: 0.4
db:	VULMON	id:	CVE-2017-4967	Trust: 0.1

sources: VULMON: CVE-2017-4967 // BID: 98406 // JVNDB: JVNDB-2017-004863 // CNNVD: CNNVD-201705-1247 // NVD: CVE-2017-4967

REFERENCES

url:	https://pivotal.io/security/cve-2017-4965	Trust: 1.7
url:	https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-4967	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-4967	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.2432	Trust: 0.6
url:	http://pivotal.io/	Trust: 0.3
url:	https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_9	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://www.securityfocus.com/bid/98406	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863586	Trust: 0.1
url:	https://security.archlinux.org/cve-2017-4967	Trust: 0.1

sources: VULMON: CVE-2017-4967 // BID: 98406 // JVNDB: JVNDB-2017-004863 // CNNVD: CNNVD-201705-1247 // NVD: CVE-2017-4967

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 98406

SOURCES

db:	VULMON	id:	CVE-2017-4967
db:	BID	id:	98406
db:	JVNDB	id:	JVNDB-2017-004863
db:	CNNVD	id:	CNNVD-201705-1247
db:	NVD	id:	CVE-2017-4967

LAST UPDATE DATE

2025-04-20T22:24:06.087000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2017-4967	date:	2021-07-19T00:00:00
db:	BID	id:	98406	date:	2017-05-23T16:25:00
db:	JVNDB	id:	JVNDB-2017-004863	date:	2017-07-10T00:00:00
db:	CNNVD	id:	CNNVD-201705-1247	date:	2022-03-18T00:00:00
db:	NVD	id:	CVE-2017-4967	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2017-4967	date:	2017-06-13T00:00:00
db:	BID	id:	98406	date:	2017-05-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-004863	date:	2017-07-10T00:00:00
db:	CNNVD	id:	CNNVD-201705-1247	date:	2017-05-11T00:00:00
db:	NVD	id:	CVE-2017-4967	date:	2017-06-13T06:29:00.520