{"id":16719,"date":"2021-07-07T12:28:01","date_gmt":"2021-07-07T10:28:01","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2021-0011\/"},"modified":"2022-05-10T09:40:31","modified_gmt":"2022-05-10T07:40:31","slug":"usd-2021-0011","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0011\/","title":{"rendered":"usd-2021-0011"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n<h1>usd-2021-0011 | RabbitMQ<\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2021-0011<\/span><br \/><strong>CVE Number<\/strong><span>: <\/span><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-32718\" target=\"_blank\" rel=\"noopener\">CVE-2021-32718<\/a><br \/><strong>Affected Product<\/strong><span>: RabbitMQ management plugin<\/span><br \/><strong>Affected Version<\/strong><span>: RabbitMQ 3.8.12<\/span><br \/><strong>Vulnerability Type<\/strong><span>: CWE-79: Improper Neutralization of Input During Web Page Generation (\u201eCross-site Scripting\u201c)<\/span><br \/><strong>Security Risk<\/strong><span>: Low (CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:R\/S:U\/C:L\/I:L\/A:N\/E:P\/RL:O\/RC:C)<\/span><br \/><strong>Vendor URL<\/strong><span>: https:\/\/www.rabbitmq.com<\/span><br \/><strong>Vendor Status<\/strong><span>: Fixed<\/span><\/p>\n<p>&nbsp;<\/p>\n<h3>Description<\/h3>\n<p><span>The vulnerability exists in RabbitMQ\u2019s \u201eAdd a user\u201c functionality and is only exploitable in the following situation: A user account containing the XSS payload in the user name must already exist within the application.<\/span><\/p>\n<p><span><\/span><\/p>\n<h3>Proof of Concept (PoC)<\/h3>\n<p><span>Step 1: Create a user account named as follows:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]'\u2039script\u203aalert(1)\u2039\/script\u203a<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n<p>Step 2: Update the user account using the \u201eAdd a user\u201c functionality of the web interface. After submitting the data, the application displays a confirmation message in which the XSS payload will be included and thus executed.<\/p>\n<p>Note, that this vulnerability does not affect the \u201eEdit User\u201c feature, but the \u201eAdd a user\u201c feature which can also be used to modify existing users. The HTTP request for updating the user looks as follows:<\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]PUT \/api\/users\/'%3Cscript%3Ealert(1)%3C%2Fscript%3E HTTP\/1.1<br \/>\nHost: 127.0.0.1:15672<br \/>\nAccept: *\/*<br \/>\nAccept-Language: en-US,en;q=0.5<br \/>\nAccept-Encoding: gzip, deflate<br \/>\ncontent-type: application\/json<br \/>\nauthorization: Basic Z3Vlc3Q6Z3Vlc3Q=<br \/>\nContent-Length: 91<br \/>\nOrigin: http:\/\/127.0.0.1:15672<br \/>\nConnection: close<br \/>\nReferer: http:\/\/127.0.0.1:15672\/<br \/>\nCookie: m=2258:Z3Vlc3Q6Z3Vlc3Q%253D<\/p>\n<p>{\"username\":\"'\u2039script\u203aalert(1)\u2039\/script\u203a\",\"password\":\"abcdefg\",\"tags\":\"\"}<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n<p>The following screenshots show how the vulnerability can be triggered in the web interface and where the payload is executed:<\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/xss.png\" title_text=\"xss\" _builder_version=\"4.16\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/xss2.png\" title_text=\"xss2\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p>It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages supports standard procedures for encoding meta characters.<\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2021-03-25: This vulnerability was identified by Christian Rellmann.<\/li>\n<li>2021-04-15: Initial contact with vendor.<\/li>\n<li>2021-04-16: Vulnerability details transmitted to vendor.<\/li>\n<li>2021-05-06: Vendor starts working on a patch.<\/li>\n<li>2021-06-08: Vendor released a <a href=\"https:\/\/github.com\/rabbitmq\/rabbitmq-server\/releases\/tag\/v3.8.17\" target=\"_blank\" rel=\"noopener\">patch<\/a>.<\/li>\n<li>2021-06-27: Vulnerability details <a href=\"https:\/\/github.com\/rabbitmq\/rabbitmq-server\/security\/advisories\/GHSA-c3hj-rg5h-2772\" target=\"_blank\" rel=\"noopener\">published by vendor<\/a>.<\/li>\n<li>2021-06-30: Security advisory released by usd AG.<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p>This security vulnerability was found by Christian Rellmann of usd AG.<\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2021-0011 | RabbitMQ Advisory ID: usd-2021-0011CVE Number: CVE-2021-32718Affected Product: RabbitMQ management pluginAffected Version: RabbitMQ 3.8.12Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation (\u201eCross-site Scripting\u201c)Security Risk: Low (CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:R\/S:U\/C:L\/I:L\/A:N\/E:P\/RL:O\/RC:C)Vendor URL: https:\/\/www.rabbitmq.comVendor Status: Fixed &nbsp; Description The vulnerability exists in RabbitMQ\u2019s \u201eAdd a user\u201c functionality and is only exploitable in the following situation: A user [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16719","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16719"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16719\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}