Support Content Notification - Support Portal

CVE-2021-22117: RabbitMQ Server vulnerable to arbitrary code execution attack

Product/Component

Notification Id

23735

Last Updated

10 May 2021

Initial Publication Date

10 May 2021

Status

CLOSED

Severity

HIGH

CVSS Base Score

WorkAround

Affected CVE

CVE-2021-22117

Severity

High

Vendor

VMware Tanzu

Description

RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins.

A malicious actor can execute arbitrary code on the running RabbitMQ server by adding arbitrary plugins.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

RabbitMQ
- obsolete-default.x versions
- 3.8.x versions prior to 3.8.16

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

RabbitMQ
- 3.8.16

Credit

Robert Chen from DeepSurface Security

References

https://tanzu.vmware.com/security/cve-2021-22117

History

2021-05-10: Initial vulnerability report published.