Arch Linux Security Advisory ASA-202107-17
=========================================
Severity: Low
Date : 2021-07-06
CVE-ID : CVE-2021-32718 CVE-2021-32719
Package : rabbitmq
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-2109
Summary
======
The package rabbitmq before version 3.8.19-1 is vulnerable to cross-site scripting.
Resolution
=========
Upgrade to 3.8.19-1.
# pacman -Syu "rabbitmq>=3.8.19-1"
The problems have been fixed upstream in version 3.8.19.
Workaround
=========
As a workaround, disable the rabbitmq_management plugin and use CLI
tools for management operations and Prometheus and Grafana for metrics
and monitoring.
Description
==========
- CVE-2021-32718 (cross-site scripting)
In rabbitmq-server prior to version 3.8.17, a new user being added via
management UI could lead to the user's bane being rendered in a
confirmation message without proper