{"id":"CVE-2017-4967","details":"An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.","modified":"2026-04-11T12:05:53.100858Z","published":"2017-06-13T06:29:00.520Z","related":["SUSE-RU-2020:2072-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"1.5.10"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.10:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.11"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.11:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.12"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.12:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.13"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.13:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.14"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.14:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.15"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.15:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.17"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.17:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.18"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.18:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.19"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.19:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.6"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.6:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.7"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.7:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.8"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.8:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.5.9"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.5.9:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.10"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.10:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.12"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.12:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.13"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.13:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.14"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.14:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.15"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.15:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.16"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.16:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.1:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.2:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.3:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.4"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.4:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.5:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.6"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.6:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.7"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.7:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.8"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.8:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.6.9"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.6.9:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.10"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.10:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.13"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.13:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.14"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.14:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.3:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.4"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.4:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.5:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.6"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.6:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.7"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.7:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.8"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.8:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"1.7.9"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:rabbitmq:1.7.9:*:*:*:*:pivotal_cloud_foundry:*:*"},{"extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2017-4965"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rabbitmq/rabbitmq-server","events":[{"introduced":"0"},{"last_affected":"5aa9a3cec69e052fdf94fdb48cb831d01102a8e3"},{"last_affected":"e0c614a20c07df4853007a0a680da0391ef59f48"},{"last_affected":"90ea9de79665755123de9113da302884c207a16b"},{"last_affected":"d4a164c09e87f323efc1784b6d27ec5c1d39ab63"},{"last_affected":"d58371273e0d48dd11d2678479d10da8121b8c2f"},{"last_affected":"578cfc1916a4b6a8202b2f4698e35eb76942f061"},{"last_affected":"4fdd61b9c68b911b7d8c35bed385fb2167f173fa"},{"last_affected":"b5cc6a04168cf40241788e1dad0938ff7ae3ffe9"},{"last_affected":"f04d53ff82e04891ef6121e43a8cd40a60bfed1b"},{"last_affected":"1ea3cacdc04134cc3cb91652e54a64ba476658b6"},{"last_affected":"f3798d4b86a5b7edd6d9c30e20b169d666c7e511"},{"last_affected":"b877b98462adef4aa108033815cc6a7d6e4f2976"},{"last_affected":"3136aa25752542dfdbc7af3f77d8a66eb8d5d844"},{"last_affected":"61a5fd3950a5b34f596c48214c9299c7f4d4d582"},{"last_affected":"3d478460a3d9a94160e89ee82b85eb15ec5102a1"},{"last_affected":"9c33c701fa496826b53a7a387da3b5e4beaa6e87"},{"last_affected":"02146c99661fa0ff066387ec1b4648361cdda28e"},{"last_affected":"b6a3aa477156036c129d04a82c90ad916bc3865e"},{"last_affected":"40fc150ff49a95e771166da9cf14050d5bc95729"},{"last_affected":"ea4e59ee3018bd2824b003ac8f9db3e59c9d3413"},{"last_affected":"3be6cd4bb31f4a7a99fe1e5cd4652766a08c3c40"},{"last_affected":"c00f44b52027b358996192e05fa507cc4bf404b7"},{"last_affected":"90103f770d38fac6282c49890be7d96e394f8ec7"},{"last_affected":"5acfba7103efd4dc8e48e39c740f3ab1969bbfad"},{"last_affected":"cee628003601efa6ffd67088c78c8c58ccc97f4c"},{"last_affected":"10d1421c0d985f96facc33182631852c8454544d"},{"last_affected":"c5068a8d77491ae96fa8b25436548ebcc0a9db08"},{"last_affected":"1db54c1fa3ed00f756c9779d778b64db139108fd"},{"last_affected":"ca4368bc0a353afbf0a8cfd602003960381556d3"},{"last_affected":"758c952bf09cb933955a97c90271bfa80ea7c366"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"3.4.0"},{"last_affected":"3.4.1"},{"last_affected":"3.4.2"},{"last_affected":"3.4.3"},{"last_affected":"3.4.4"},{"last_affected":"3.5.0"},{"last_affected":"3.5.1"},{"last_affected":"3.5.2"},{"last_affected":"3.5.3"},{"last_affected":"3.5.6"},{"last_affected":"3.6.7"},{"last_affected":"3.5.4"},{"last_affected":"3.5.5"},{"last_affected":"3.5.7"},{"last_affected":"3.6.0"},{"last_affected":"3.6.1"},{"last_affected":"3.6.2"},{"last_affected":"3.6.3"},{"last_affected":"3.6.4"},{"last_affected":"3.6.5"},{"last_affected":"3.6.6"},{"last_affected":"1.5.0"},{"last_affected":"1.5.1"},{"last_affected":"1.5.2"},{"last_affected":"1.5.3"},{"last_affected":"1.5.4"},{"last_affected":"1.5.5"},{"last_affected":"1.6.0"},{"last_affected":"1.7.0"},{"last_affected":"1.7.2"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:broadcom:rabbitmq_server:3.4.0:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.4.1:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.4.2:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.4.3:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.4.4:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.5.0:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.5.1:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.5.2:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.5.3:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.5.6:*:*:*:*:*:*:*","cpe:2.3:a:broadcom:rabbitmq_server:3.6.7:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.5.4:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.5.5:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.5.7:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.6.1:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.6.2:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.6.3:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.6.4:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.6.5:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:3.6.6:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:rabbitmq:1.5.0:*:*:*:*:pivotal_cloud_foundry:*:*","cpe:2.3:a:pivotal_software:rabbitmq:1.5.1:*:*:*:*:pivotal_cloud_foundry:*:*","cpe:2.3:a:pivotal_software:rabbitmq:1.5.2:*:*:*:*:pivotal_cloud_foundry:*:*","cpe:2.3:a:pivotal_software:rabbitmq:1.5.3:*:*:*:*:pivotal_cloud_foundry:*:*","cpe:2.3:a:pivotal_software:rabbitmq:1.5.4:*:*:*:*:pivotal_cloud_foundry:*:*","cpe:2.3:a:pivotal_software:rabbitmq:1.5.5:*:*:*:*:pivotal_cloud_foundry:*:*","cpe:2.3:a:pivotal_software:rabbitmq:1.6.0:*:*:*:*:pivotal_cloud_foundry:*:*","cpe:2.3:a:pivotal_software:rabbitmq:1.7.0:*:*:*:*:pivotal_cloud_foundry:*:*","cpe:2.3:a:pivotal_software:rabbitmq:1.7.2:*:*:*:*:pivotal_cloud_foundry:*:*"]}}],"versions":["rabbitmq_v1_4_0","rabbitmq_v1_5_0","rabbitmq_v1_5_1","rabbitmq_v1_5_2","rabbitmq_v1_5_3","rabbitmq_v1_5_4","rabbitmq_v1_5_5","rabbitmq_v1_6_0","rabbitmq_v1_7_0","rabbitmq_v1_7_2","rabbitmq_v1_8_1","rabbitmq_v2_4_0","rabbitmq_v2_7_1","rabbitmq_v2_8_0","rabbitmq_v3_0_0","rabbitmq_v3_0_1","rabbitmq_v3_0_2","rabbitmq_v3_0_3","rabbitmq_v3_0_4","rabbitmq_v3_1_1","rabbitmq_v3_1_2","rabbitmq_v3_1_3","rabbitmq_v3_1_4","rabbitmq_v3_1_5","rabbitmq_v3_2_1","rabbitmq_v3_2_2","rabbitmq_v3_2_3","rabbitmq_v3_2_4","rabbitmq_v3_3_0","rabbitmq_v3_3_1","rabbitmq_v3_3_2","rabbitmq_v3_3_3","rabbitmq_v3_3_4","rabbitmq_v3_3_5","rabbitmq_v3_4_0","rabbitmq_v3_4_1","rabbitmq_v3_4_2","rabbitmq_v3_4_3","rabbitmq_v3_4_4","rabbitmq_v3_5_0","rabbitmq_v3_5_1","rabbitmq_v3_5_2","rabbitmq_v3_5_3","rabbitmq_v3_5_4","rabbitmq_v3_5_4_rc1","rabbitmq_v3_5_4_rc2","rabbitmq_v3_5_5","rabbitmq_v3_5_5_rc1","rabbitmq_v3_5_5_rc2","rabbitmq_v3_5_6","rabbitmq_v3_5_7","rabbitmq_v3_5_7_rc1","rabbitmq_v3_5_7_rc2","rabbitmq_v3_6_0","rabbitmq_v3_6_0_milestone1","rabbitmq_v3_6_0_milestone2","rabbitmq_v3_6_0_milestone3","rabbitmq_v3_6_0_rc1","rabbitmq_v3_6_0_rc2","rabbitmq_v3_6_0_rc3","rabbitmq_v3_6_1","rabbitmq_v3_6_1_rc1","rabbitmq_v3_6_1_rc2","rabbitmq_v3_6_2","rabbitmq_v3_6_2_milestone1","rabbitmq_v3_6_2_milestone2","rabbitmq_v3_6_2_milestone3","rabbitmq_v3_6_2_milestone4","rabbitmq_v3_6_2_milestone5","rabbitmq_v3_6_2_rc1","rabbitmq_v3_6_2_rc2","rabbitmq_v3_6_2_rc3","rabbitmq_v3_6_2_rc4","rabbitmq_v3_6_3","rabbitmq_v3_6_3_milestone1","rabbitmq_v3_6_3_milestone2","rabbitmq_v3_6_3_rc1","rabbitmq_v3_6_3_rc2","rabbitmq_v3_6_3_rc3","rabbitmq_v3_6_4","rabbitmq_v3_6_4_milestone1","rabbitmq_v3_6_4_milestone2","rabbitmq_v3_6_4_rc1","rabbitmq_v3_6_5","rabbitmq_v3_6_5_milestone1","rabbitmq_v3_6_5_milestone2","rabbitmq_v3_6_6","rabbitmq_v3_6_6_milestone1","rabbitmq_v3_6_6_milestone2","rabbitmq_v3_6_6_milestone3","rabbitmq_v3_6_6_milestone4","rabbitmq_v3_6_6_milestone5","rabbitmq_v3_6_6_rc1","rabbitmq_v3_6_6_rc2","rabbitmq_v3_6_7","rabbitmq_v3_6_7_milestone1","rabbitmq_v3_6_7_milestone2","rabbitmq_v3_6_7_milestone3","rabbitmq_v3_6_7_milestone4","rabbitmq_v3_6_7_milestone5","rabbitmq_v3_6_7_milestone6","rabbitmq_v3_6_7_rc1","rabbitmq_v3_6_7_rc2","rabbitmq_v3_6_7_rc3","rabbitmq_v3_6_8","rabbitmq_v3_7_0_milestone6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-4967.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}