CNVD-2017-08190

Vulnerability from cnvd - Published: 2017-06-05
VLAI Severity ?
Title
Pivotal RabbitMQ产品跨站脚本漏洞
Description
Pivotal RabbitMQ和RabbitMQ for PCF都是美国Pivotal Software公司的产品。前者是一套实现了高级消息队列协议(AMQP)的开源消息代理软件,后者是一款开源的用于支持基于全局数据传送和高容量的数据监测的消息服务器。 Pivotal RabbitMQ和Pivotal RabbitMQ for PCF中存在跨站脚本漏洞,该漏洞源于程序未能正确的过滤用户提交的输入。攻击者可利用该漏洞在浏览器中执行任意的脚本代码。
Severity
Patch Name
Pivotal RabbitMQ产品跨站脚本漏洞的补丁
Patch Description
Pivotal RabbitMQ和RabbitMQ for PCF都是美国Pivotal Software公司的产品。前者是一套实现了高级消息队列协议(AMQP)的开源消息代理软件,后者是一款开源的用于支持基于全局数据传送和高容量的数据监测的消息服务器。 Pivotal RabbitMQ和Pivotal RabbitMQ for PCF中存在跨站脚本漏洞,该漏洞源于程序未能正确的过滤用户提交的输入。攻击者可利用该漏洞在浏览器中执行任意的脚本代码。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description

用户可参考如下厂商提供的安全补丁以修复该漏洞: http://www.pivota.com

Reference
http://www.securityfocus.com/bid/98394
Impacted products
Name
['Pivotal RabbitMQ for PCF 1.6.12', 'Pivotal RabbitMQ for PCF 1.6.4', 'Pivotal RabbitMQ for PCF 1.6.3', 'Pivotal RabbitMQ for PCF 1.6.2', 'Pivotal RabbitMQ for PCF 1.6.1', 'Pivotal RabbitMQ for PCF 1.6', 'Pivotal RabbitMQ for PCF 1.5.20', 'Pivotal RabbitMQ for PCF 1.5', 'Pivotal RabbitMQ 3.6.6', 'Pivotal RabbitMQ 3.6', 'Pivotal RabbitMQ 3.5', 'Pivotal RabbitMQ 3.4', 'Pivotal RabbitMQ for PCF 1.7.7', 'Pivotal RabbitMQ for PCF 1.7']
Show details on source website
To clipboard 

{
  "bids": {
    "bid": {
      "bidNumber": "98394"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-4965"
    }
  },
  "description": "Pivotal RabbitMQ\u548cRabbitMQ for PCF\u90fd\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4ea7\u54c1\u3002\u524d\u8005\u662f\u4e00\u5957\u5b9e\u73b0\u4e86\u9ad8\u7ea7\u6d88\u606f\u961f\u5217\u534f\u8bae\uff08AMQP\uff09\u7684\u5f00\u6e90\u6d88\u606f\u4ee3\u7406\u8f6f\u4ef6\uff0c\u540e\u8005\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u7528\u4e8e\u652f\u6301\u57fa\u4e8e\u5168\u5c40\u6570\u636e\u4f20\u9001\u548c\u9ad8\u5bb9\u91cf\u7684\u6570\u636e\u76d1\u6d4b\u7684\u6d88\u606f\u670d\u52a1\u5668\u3002\r\n\r\nPivotal RabbitMQ\u548cPivotal RabbitMQ for PCF\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u7684\u811a\u672c\u4ee3\u7801\u3002",
  "discovererName": "GE Digital Security Team and by Brandon Williams from Early Warning",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://www.pivota.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-08190",
  "openTime": "2017-06-05",
  "patchDescription": "Pivotal RabbitMQ\u548cRabbitMQ for PCF\u90fd\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4ea7\u54c1\u3002\u524d\u8005\u662f\u4e00\u5957\u5b9e\u73b0\u4e86\u9ad8\u7ea7\u6d88\u606f\u961f\u5217\u534f\u8bae\uff08AMQP\uff09\u7684\u5f00\u6e90\u6d88\u606f\u4ee3\u7406\u8f6f\u4ef6\uff0c\u540e\u8005\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u7528\u4e8e\u652f\u6301\u57fa\u4e8e\u5168\u5c40\u6570\u636e\u4f20\u9001\u548c\u9ad8\u5bb9\u91cf\u7684\u6570\u636e\u76d1\u6d4b\u7684\u6d88\u606f\u670d\u52a1\u5668\u3002\r\n\r\nPivotal RabbitMQ\u548cPivotal RabbitMQ for PCF\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u7684\u811a\u672c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Pivotal RabbitMQ\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Pivotal RabbitMQ for PCF 1.6.12",
      "Pivotal RabbitMQ for PCF 1.6.4",
      "Pivotal RabbitMQ for PCF 1.6.3",
      "Pivotal RabbitMQ for PCF 1.6.2",
      "Pivotal RabbitMQ for PCF 1.6.1",
      "Pivotal RabbitMQ for PCF 1.6",
      "Pivotal RabbitMQ for PCF 1.5.20",
      "Pivotal RabbitMQ for PCF 1.5",
      "Pivotal RabbitMQ 3.6.6",
      "Pivotal RabbitMQ 3.6",
      "Pivotal RabbitMQ 3.5",
      "Pivotal RabbitMQ 3.4",
      "Pivotal RabbitMQ for PCF 1.7.7",
      "Pivotal RabbitMQ for PCF  1.7"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/98394",
  "serverity": "\u9ad8",
  "submitTime": "2017-05-20",
  "title": "Pivotal RabbitMQ\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.