ASA-202107-17 log generated external raw

[ASA-202107-17] rabbitmq: cross-site scripting
Arch Linux Security Advisory ASA-202107-17 ========================================== Severity: Low Date : 2021-07-06 CVE-ID : CVE-2021-32718 CVE-2021-32719 Package : rabbitmq Type : cross-site scripting Remote : Yes Link : https://security.archlinux.org/AVG-2109 Summary ======= The package rabbitmq before version 3.8.19-1 is vulnerable to cross- site scripting. Resolution ========== Upgrade to 3.8.19-1. # pacman -Syu "rabbitmq>=3.8.19-1" The problems have been fixed upstream in version 3.8.19. Workaround ========== As a workaround, disable the rabbitmq_management plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring. Description =========== - CVE-2021-32718 (cross-site scripting) In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper <script> tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). - CVE-2021-32719 (cross-site scripting) In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the rabbitmq_federation_management plugin, its consumer tag was rendered without proper <script> tag sanitization, potentially allowing for JavaScript code execution in the context of the page. Impact ====== Crafted user banes and federation links could be used to inject arbitrary JavaScript code into the management web UI. References ========== https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772 https://github.com/rabbitmq/rabbitmq-server/pull/3028 https://github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c245094d8022e81299 https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x https://github.com/rabbitmq/rabbitmq-server/pull/3122 https://github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece2800cd80971e2bd05 https://security.archlinux.org/CVE-2021-32718 https://security.archlinux.org/CVE-2021-32719