Arch Linux Security Advisory ASA-202107-17
==========================================

Severity: Low
Date    : 2021-07-06
CVE-ID  : CVE-2021-32718 CVE-2021-32719
Package : rabbitmq
Type    : cross-site scripting
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2109

Summary
=======

The package rabbitmq before version 3.8.19-1 is vulnerable to cross-
site scripting.

Resolution
==========

Upgrade to 3.8.19-1.

# pacman -Syu "rabbitmq>=3.8.19-1"

The problems have been fixed upstream in version 3.8.19.

Workaround
==========

As a workaround, disable the rabbitmq_management plugin and use CLI
tools for management operations and Prometheus and Grafana for metrics
and monitoring.

Description
===========

- CVE-2021-32718 (cross-site scripting)

In rabbitmq-server prior to version 3.8.17, a new user being added via
management UI could lead to the user's bane being rendered in a
confirmation message without proper