Skip to main content

Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

GHSA-pj33-75x5-32j4 | Mondoo Vulnerability Intelligence

GHSA-pj33-75x5-32j4

HIGH8.3

RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission

Published Nov 6, 2024

Modified 1 years ago

Fix available

Details

Summary

Queue deletion via the HTTP API was not verifying the configure permission of the user.

Impact

Users who had all of the following:

Valid credentials
Some permissions for the target virtual host
HTTP API access

could delete queues it had no (deletion) permissions for.

Workarounds

Disable management plugin and use, for example, Prometheus and Grafana for monitoring.

OWASP Classification

OWASP Top10 A01:2021 – Broken Access Control

Affected Packages

Hexrabbit_common

Fixed in:

3.12.11

References

ADVISORYhttps://github.com/advisories/GHSA-pj33-75x5-32j4 PACKAGEhttps://github.com/rabbitmq/rabbitmq-server WEBhttps://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-pj33-75x5-32j4 ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-51988 WEBhttps://www.rabbitmq.com/docs/prometheus

Aliases

CVSS Analysis

CVSS v3.1

8.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

HighI:H

Availability

NoneA:N

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Related

Ecosystems

Timeline

PublishedNov 6, 2024

ModifiedNov 6, 2024