GHSA-pj33-75x5-32j4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pj33-75x5-32j4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-pj33-75x5-32j4/GHSA-pj33-75x5-32j4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pj33-75x5-32j4
- Aliases
- Published
- 2024-11-06T19:55:13Z
- Modified
- 2024-11-08T07:57:08.146817Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission
- Details
-
Summary
Queue deletion via the HTTP API was not verifying the
configurepermission of the user.Impact
Users who had all of the following:
- Valid credentials
- Some permissions for the target virtual host
- HTTP API access
could delete queues it had no (deletion) permissions for.
Workarounds
Disable management plugin and use, for example, Prometheus and Grafana for monitoring.
OWASP Classification
OWASP Top10 A01:2021 – Broken Access Control
- References
Affected packages
Hex / rabbit_common
Package
- Name
- rabbit_common
- Purl
- pkg:hex/rabbit_common