CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30219 – RabbitMQ has XSS Vulnerability in an Error Message in Management UI
https://notcve.org/view.php?id=CVE-2025-30219
25 Mar 2025 — RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, recent versions will display an error message (a notification) in the management UI. The error message includes virtual host name, which was no... • https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-g58g-82mw-9m3p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-51988 – HTTP API's queue deletion endpoint does not verify that the user has a required permission
https://notcve.org/view.php?id=CVE-2024-51988
06 Nov 2024 — RabbitMQ is a feature rich, multi-protocol messaging and streaming broker. In affected versions queue deletion via the HTTP API was not verifying the `configure` permission of the user. Users who had all of the following: 1. Valid credentials, 2. Some permissions for the target virtual host & 3. • https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-pj33-75x5-32j4 • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35789 – rabbitmq-c/librabbitmq: Insecure credentials submission
https://notcve.org/view.php?id=CVE-2023-35789
16 Jun 2023 — An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments. A flaw was found in librabbitmq. This issue occurs because credentials can only be entered on the command line (for example, for amqp-publish or amqp-consume) and are visible to local attackers by listing a process and its arguments. An upd... • https://github.com/alanxz/rabbitmq-c/issues/575 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2020-36282
https://notcve.org/view.php?id=CVE-2020-36282
12 Mar 2021 — JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 is vulnerable to unsafe deserialization that can result in code execution via crafted StreamMessage data. Un cliente JMS para RabbitMQ versiones 1.x anteriores a 1.15.2 y versiones 2.x anteriores a 2.2.0, es vulnerable a una deserialización no segura que puede resultar en una ejecución de código por medio de datos StreamMessage diseñados • https://github.com/rabbitmq/rabbitmq-jms-client/issues/135 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 2%CPEs: 9EXPL: 0CVE-2019-18609 – librabbitmq: integer overflow in amqp_handle_input in amqp_connection.c leads to heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2019-18609
01 Dec 2019 — An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. There is an integer overflow that leads to heap memory corruption in the handling of CONNECTION_STATE_HEADER. A rogue server could return a malicious frame header that leads to a smaller target_size value than needed. This condition is then carried on to a memcpy function that copies too much data into a heap buffer. Se detectó un problema en la función amqp_handle_input en el archivo amqp_connection.c en rabbitmq-c versi... • https://github.com/alanxz/rabbitmq-c/blob/master/ChangeLog.md • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •