CVE-2021-22117: RabbitMQ Sever vulnerable to arbitrary code execution attack
RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins.
A malicious actor can execute arbitrary code on the running RabbitMQ server by adding arbitrary plugins.
Severity is high unless otherwise noted.
- obsolete-default.x versions
- 3.8.x versions prior to 3.8.16
Users of affected versions should apply the following mitigation or upgrade:
Robert Chen from DeepSurface Security
2021-05-10: Initial vulnerability report published.