Page 4 of 17 results (0.003 seconds)

CVSS: 5.0EPSS: 0%CPEs: 44EXPL: 0

CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions. Vulnerabilidad de inyección CRLF en el plugin de gestión en RabbitMQ 2.1.0 hasta 3.4.x anterior a 3.4.1 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y realizar ataques de división de respuestas HTTP a través del parámetro download en api/definitions. A response-splitting vulnerability was discovered in RabbitMQ. An /api/definitions URL could be specified, which then caused an arbitrary additional header to be returned. A remote attacker could use this flaw to inject arbitrary HTTP headers and possibly gain access to secure data. • http://rhn.redhat.com/errata/RHSA-2016-0308.html http://www.openwall.com/lists/oss-security/2015/01/21/13 http://www.rabbitmq.com/release-notes/README-3.4.1.txt http://www.securityfocus.com/bid/76091 https://groups.google.com/forum/#%21topic/rabbitmq-users/-3Z2FyGtXhs https://access.redhat.com/security/cve/CVE-2014-9650 https://bugzilla.redhat.com/show_bug.cgi?id=1185515 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header. RabbitMQ anterior a 3.4.0 permite a atacantes remotos evadir la restricción loopback_users a través de una cabecera X-Forwareded-For manipulada. • http://seclists.org/oss-sec/2015/q1/30 http://www.rabbitmq.com/release-notes/README-3.4.0.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/99685 https://groups.google.com/forum/#%21topic/rabbitmq-users/DMkypbSvIyM • CWE-264: Permissions, Privileges, and Access Controls •