Log

CVE-2021-32719 edited at 28 Jun 2021 16:05:50
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Cross-site scripting
Description
+ In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the rabbitmq_federation_management plugin, its consumer tag was rendered without proper <script> tag sanitization, potentially allowing for JavaScript code execution in the context of the page.
+
+ As a workaround, disable the rabbitmq_management plugin and use CLI tools instead.
References
+ https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x
+ https://github.com/rabbitmq/rabbitmq-server/pull/3122
+ https://github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece2800cd80971e2bd05
Notes
+ Workaround
+ ==========
+
+ As a workaround, disable the rabbitmq_management plugin and use CLI tools instead.
AVG-2109 edited at 28 Jun 2021 16:02:23
Issues
CVE-2021-32718
+ CVE-2021-32719
CVE-2021-32719 created at 28 Jun 2021 16:02:23
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
AVG-2109 edited at 28 Jun 2021 16:01:56
Severity
- Unknown
+ Low
CVE-2021-32718 edited at 28 Jun 2021 16:01:56
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Cross-site scripting
Description
+ In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper <script> tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management).
+
+ As a workaround, disable the rabbitmq_management plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.
References
+ https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772
+ https://github.com/rabbitmq/rabbitmq-server/pull/3028
+ https://github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c245094d8022e81299
Notes
+ Workaround
+ ==========
+
+ As a workaround, disable the rabbitmq_management plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.
AVG-2109 created at 28 Jun 2021 15:57:26
Packages
+ rabbitmq
Issues
+ CVE-2021-32718
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 3.8.16-1
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-32718 created at 28 Jun 2021 15:57:26
CVE-2021-3623 edited at 28 Jun 2021 11:57:27
References
https://bugzilla.redhat.com/show_bug.cgi?id=1976806
https://github.com/stefanberger/libtpms/pull/223
https://github.com/stefanberger/libtpms/pull/225
- https://github.com/stefanberger/libtpms/commit/2f30d620d3c053f20d38b54bf76ac0907821d263
- https://github.com/stefanberger/libtpms/commit/7981d9ad90a5043a05004e4ca7b46beab8ca7809
- https://github.com/stefanberger/libtpms/commit/2e6173c273ca14adb11386db4e47622552b1c00e
+ https://github.com/stefanberger/libtpms/commit/f16250b35aff6995e540143a9858c9cf0d1f9573
+ https://github.com/stefanberger/libtpms/commit/3ef9b26cb9f28bd64d738bff9505a20d4eb56acd
+ https://github.com/stefanberger/libtpms/commit/5cc98a62dc6f204dcf5b87c2ee83ac742a6a319b
AVG-2108 edited at 28 Jun 2021 11:55:08
Severity
- Unknown
+ Medium
CVE-2021-3623 edited at 28 Jun 2021 11:55:08
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Information disclosure
Description
+ A security issue was found in libtpms before version 0.8.4. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1976806
+ https://github.com/stefanberger/libtpms/pull/223
+ https://github.com/stefanberger/libtpms/pull/225
+ https://github.com/stefanberger/libtpms/commit/2f30d620d3c053f20d38b54bf76ac0907821d263
+ https://github.com/stefanberger/libtpms/commit/7981d9ad90a5043a05004e4ca7b46beab8ca7809
+ https://github.com/stefanberger/libtpms/commit/2e6173c273ca14adb11386db4e47622552b1c00e
Notes
AVG-2108 created at 28 Jun 2021 11:52:45
Packages
+ libtpms
Issues
+ CVE-2021-3623
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 0.8.3-1
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-3623 created at 28 Jun 2021 11:52:45
CVE-2020-28200 edited at 28 Jun 2021 10:06:03
References
https://dovecot.org/pipermail/dovecot-news/2021-June/000458.html
https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html
+ https://www.openwall.com/lists/oss-security/2021/06/28/3
https://github.com/dovecot/pigeonhole/commit/68505e444f91ebd784d419a8c11f1bc3fda3ceab
CVE-2021-33515 edited at 28 Jun 2021 10:05:27
References
https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
+ https://www.openwall.com/lists/oss-security/2021/06/28/2
https://github.com/dovecot/core/commit/65bd1a27a361545c9ccf405b955c72a9c4d29b38
CVE-2021-29157 edited at 28 Jun 2021 10:05:08
References
https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html
+ https://www.openwall.com/lists/oss-security/2021/06/28/1
https://github.com/dovecot/core/commit/7f06f6274437ea97142df1f64f322b3ced44d0b3
https://github.com/dovecot/core/commit/7a77e070ddb6a67fe7a40118ba3e3f9b6062a7d1
https://github.com/dovecot/core/commit/bae4e44596d6548322665d242b055f44fe1dc58d