RabbitMQ Virtual Host Name Modification Vulnerability Leading to Cross-Site Scripting

A vulnerability in RabbitMQ messaging and streaming broker versions prior to 4.0.3 allows for a complex attack that can modify a virtual host name on disk, making it unrecoverable, and lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host fails to start, recent versions display an error message in the management UI that includes the virtual host name. This name was not properly escaped before RabbitMQ 4.0.3, creating an opportunity for exploitation. An attacker could cause a virtual host to fail and simultaneously introduce an XSS payload into the name, or alter the name of an existing virtual host, triggering the execution of the injected JavaScript in the user's browser.

Impact

Exploitation allows for arbitrary JavaScript code execution in the management UI, affecting the user's browser.

Remediation

Users can upgrade to open source RabbitMQ 4.0.3 or Tanzu RabbitMQ 4.0.3 or 3.13.8. Note that future open source RabbitMQ 3.13.x releases will only be available to paying customers. All other users should upgrade to 4.0.x. As a temporary measure, the management plugin can be disabled and replaced with Prometheus and Grafana for monitoring.