CVE-2024-51988

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-51988
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-51988.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-51988
Aliases
Downstream
Published
2024-11-06T19:15:17Z
Modified
2025-10-17T14:09:51.031069Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
HTTP API's queue deletion endpoint does not verify that the user has a required permission
Details

RabbitMQ is a feature rich, multi-protocol messaging and streaming broker. In affected versions queue deletion via the HTTP API was not verifying the configure permission of the user. Users who had all of the following: 1. Valid credentials, 2. Some permissions for the target virtual host & 3. HTTP API access. could delete queues it had no (deletion) permissions for. This issue has been addressed in version 3.12.11 of the open source rabbitMQ release and in versions 1.5.2, 3.13.0, and 4.0.0 of the tanzu release. Users are advised to upgrade. Users unable to upgrade may disable management plugin and use, for example, Prometheus and Grafana for monitoring.

References

Affected packages

Git / github.com/rabbitmq/rabbitmq-server

Affected ranges

Type
GIT
Repo
https://github.com/rabbitmq/rabbitmq-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

Other

Aman-06-09-08
Aman-06-09-08_2
rabbitmq_v1_4_0
rabbitmq_v1_5_0
rabbitmq_v1_5_1
rabbitmq_v1_5_2

Database specific

unresolved_versions

[
    {
        "type": "",
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "Open source RabbitMQ: >= 3.12.7, < 3.12.11"
            }
        ]
    },
    {
        "type": "",
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "Tanzu RabbitMQ: >= 2.0.0, < 3.13.0"
            }
        ]
    }
]