Details of VAR-201706-0533

ID

VAR-201706-0533

CVE

CVE-2017-4965

TITLE

Pivotal RabbitMQ Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-004861

DESCRIPTION

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. Pivotal RabbitMQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Pivotal RabbitMQ products are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.98

sources: NVD: CVE-2017-4965 // JVNDB: JVNDB-2017-004861 // BID: 98394 // VULMON: CVE-2017-4965

AFFECTED PRODUCTS

vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.6	Trust: 1.9
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.19	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.7	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.15	Trust: 1.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.3	Trust: 1.6
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.0	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.4	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.4	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.8	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.3	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.0	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.6	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.6	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.13	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.12	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.6.7	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.9	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.3	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.0	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.1	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.14	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5.5	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.10	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.14	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5.7	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.0	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.10	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.6	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.11	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.9	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.4	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.5	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.6	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.1	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5.4	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.5	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.17	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.5	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.1	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.4	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.8	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.9	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.10	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.15	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.14	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.7	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.7	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.13	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.18	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.3	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.2	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.5.12	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.5	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.5.1	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.4	Trust: 1.0
vendor:	broadcom	model:	rabbitmq server	scope:	eq	version:	3.4.3	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.13	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.8	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.0	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.7.3	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.1	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	1.6.16	Trust: 1.0
vendor:	pivotal	model:	rabbitmq	scope:	lt	version:	1.7.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.4.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	for pcf 1.6.18	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	for pcf 1.5.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	lt	version:	3.6.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	for pcf 1.7.15	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	lt	version:	1.6.x	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.9	Trust: 0.8
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.4.3	Trust: 0.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6.7	Trust: 0.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.4.1	Trust: 0.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.4.2	Trust: 0.6
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.4.0	Trust: 0.6
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.7.7	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.7	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.6.12	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.6.4	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.6.3	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.6.2	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.6.1	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.6	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.5.20	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	eq	version:	1.5	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.6	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.5	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	eq	version:	3.4	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	ne	version:	1.7.15	Trust: 0.3
vendor:	pivotal	model:	rabbitmq for pcf	scope:	ne	version:	1.6.18	Trust: 0.3
vendor:	pivotal	model:	rabbitmq	scope:	ne	version:	3.6.9	Trust: 0.3

sources: BID: 98394 // JVNDB: JVNDB-2017-004861 // CNNVD: CNNVD-201705-1213 // NVD: CVE-2017-4965

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-4965
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-4965
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201705-1213
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2017-4965
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-4965
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2017-4965
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2017-4965
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2017-4965 // JVNDB: JVNDB-2017-004861 // CNNVD: CNNVD-201705-1213 // NVD: CVE-2017-4965

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-004861 // NVD: CVE-2017-4965

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-1213

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201705-1213

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-004861

PATCH

title:	CVE-2017-4965 and CVE-2017-4967: XSS vulnerabilities in RabbitMQ management UI	url:	https://pivotal.io/security/cve-2017-4965	Trust: 0.8
title:	Pivotal RabbitMQ and Pivotal RabbitMQ for PCF Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70557	Trust: 0.6
title:	Debian CVElist Bug Report Logs: CVE-2017-4965 CVE-2017-4966 CVE-2017-4967	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=6b6ae5ada791d0845be3b03f58e84470	Trust: 0.1
title:	Red Hat: CVE-2017-4965	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2017-4965	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2017-4965	Trust: 0.1
title:	Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2017	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=a31bff03e9909229fd67996884614fdf	Trust: 0.1

sources: VULMON: CVE-2017-4965 // JVNDB: JVNDB-2017-004861 // CNNVD: CNNVD-201705-1213

EXTERNAL IDS

db:	NVD	id:	CVE-2017-4965	Trust: 2.8
db:	BID	id:	98394	Trust: 2.0
db:	JVNDB	id:	JVNDB-2017-004861	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.2432	Trust: 0.6
db:	CNNVD	id:	CNNVD-201705-1213	Trust: 0.6
db:	VULMON	id:	CVE-2017-4965	Trust: 0.1

sources: VULMON: CVE-2017-4965 // BID: 98394 // JVNDB: JVNDB-2017-004861 // CNNVD: CNNVD-201705-1213 // NVD: CVE-2017-4965

REFERENCES

url:	https://pivotal.io/security/cve-2017-4965	Trust: 2.0
url:	http://www.securityfocus.com/bid/98394	Trust: 1.8
url:	https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-4965	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-4965	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.2432	Trust: 0.6
url:	http://pivotal.io/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863586	Trust: 0.1
url:	https://security.archlinux.org/cve-2017-4965	Trust: 0.1

sources: VULMON: CVE-2017-4965 // BID: 98394 // JVNDB: JVNDB-2017-004861 // CNNVD: CNNVD-201705-1213 // NVD: CVE-2017-4965

CREDITS

GE Digital Security Team and by Brandon Williams from Early Warning.

Trust: 0.9

sources: BID: 98394 // CNNVD: CNNVD-201705-1213

SOURCES

db:	VULMON	id:	CVE-2017-4965
db:	BID	id:	98394
db:	JVNDB	id:	JVNDB-2017-004861
db:	CNNVD	id:	CNNVD-201705-1213
db:	NVD	id:	CVE-2017-4965

LAST UPDATE DATE

2025-04-20T20:10:58.079000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2017-4965	date:	2021-07-19T00:00:00
db:	BID	id:	98394	date:	2017-05-23T16:24:00
db:	JVNDB	id:	JVNDB-2017-004861	date:	2017-07-10T00:00:00
db:	CNNVD	id:	CNNVD-201705-1213	date:	2022-03-18T00:00:00
db:	NVD	id:	CVE-2017-4965	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2017-4965	date:	2017-06-13T00:00:00
db:	BID	id:	98394	date:	2017-05-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-004861	date:	2017-07-10T00:00:00
db:	CNNVD	id:	CNNVD-201705-1213	date:	2017-05-11T00:00:00
db:	NVD	id:	CVE-2017-4965	date:	2017-06-13T06:29:00.457