Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

Vulnerability Intelligence

Customers

GHSA-pj33-75x5-32j4 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceGHSA-pj33-75x5-32j4

GHSA-pj33-75x5-32j4

HIGH8.3

RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission

Published Nov 6, 2024

Modified 1 years ago

Fix available

Details

Summary

Queue deletion via the HTTP API was not verifying the configure permission of the user.

Impact

Users who had all of the following:

Valid credentials
Some permissions for the target virtual host
HTTP API access

could delete queues it had no (deletion) permissions for.

Workarounds

Disable management plugin and use, for example, Prometheus and Grafana for monitoring.

OWASP Classification

OWASP Top10 A01:2021 – Broken Access Control

Affected Packages

rabbit_common

Hex

Fixed in:

3.12.11

References

ADVISORYhttps://github.com/advisories/GHSA-pj33-75x5-32j4 PACKAGEhttps://github.com/rabbitmq/rabbitmq-server WEBhttps://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-pj33-75x5-32j4 ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-51988 WEBhttps://www.rabbitmq.com/docs/prometheus

Aliases

CVE-2024-51988

CVSS Analysis

CVSS v4.0

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

NoneVC:N

Vuln. Integrity

HighVI:H

Vuln. Availability

NoneVA:N

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N