CVE-2024-51988

CWE-284 — Improper Access Control7 documents6 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 67.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rabbitmq Rabbitmq-server

Timeline

PublishedNov 6

Description

RabbitMQ is a feature rich, multi-protocol messaging and streaming broker. In affected versions queue deletion via the HTTP API was not verifying the `configure` permission of the user. Users who had all of the following: 1. Valid credentials, 2. Some permissions for the target virtual host & 3. HTTP API access. could delete queues it had no (deletion) permissions for. This issue has been addressed in version 3.12.11 of the open source rabbitMQ release and in versions 1.5.2, 3.13.0, and 4.0.0 of…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Ubunturabbitmq-server< 3.8.3-0ubuntu0.1+2

▶CVEListV5rabbitmq/rabbitmq-serverOpen source RabbitMQ: >= 3.12.7, < 3.12.11, Tanzu RabbitMQ: < 1.5.2, Tanzu RabbitMQ: >= 2.0.0, < 3.13.0+2

▶Hexrabbit_common3.12.7 — 3.12.11

🔴Vulnerability Details

OSV

CVE-2024-51988: RabbitMQ is a feature rich, multi-protocol messaging and streaming broker↗2024-11-06

▶

OSV

RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission↗2024-11-06

▶

CVEList

HTTP API's queue deletion endpoint does not verify that the user has a required permission↗2024-11-06

▶

GHSA

RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission↗2024-11-06

▶

📋Vendor Advisories

Red Hat

rabbitmq: rabbitmq-server: HTTP API's queue deletion endpoint does not verify that the user has a required permission↗2024-11-06

▶

Debian

CVE-2024-51988: rabbitmq-server - RabbitMQ is a feature rich, multi-protocol messaging and streaming broker. In af...↗2024

▶