Security update for rabbitmq-server313 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1548-1 Final 1 1 2025-05-14T08:25:17Z current 2025-05-14T08:25:17Z 2025-05-14T08:25:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rabbitmq-server313 This update for rabbitmq-server313 fixes the following issues: - CVE-2025-30219: incorrectly escaped virtual hostname present in error message could lead to XSS attack. (bsc#1240071) Non-security fixes: - Require rabbitmq-server313-plugins rather then rabbitmq-server-plugins. (bsc#1231656, bsc#1234763) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1548,SUSE-SLE-Module-Server-Applications-15-SP6-2025-1548,openSUSE-SLE-15.6-2025-1548 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251548-1/ Link for SUSE-SU-2025:1548-1 https://lists.suse.com/pipermail/sle-updates/2025-May/039213.html E-Mail link for SUSE-SU-2025:1548-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1231656 SUSE Bug 1231656 https://bugzilla.suse.com/1234763 SUSE Bug 1234763 https://bugzilla.suse.com/1240071 SUSE Bug 1240071 https://www.suse.com/security/cve/CVE-2025-30219/ SUSE CVE CVE-2025-30219 page SUSE Linux Enterprise Module for Server Applications 15 SP6 openSUSE Leap 15.6 erlang-rabbitmq-client313-3.13.1-150600.13.8.1 rabbitmq-server313-3.13.1-150600.13.8.1 rabbitmq-server313-plugins-3.13.1-150600.13.8.1 erlang-rabbitmq-client313-3.13.1-150600.13.8.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 rabbitmq-server313-3.13.1-150600.13.8.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 rabbitmq-server313-plugins-3.13.1-150600.13.8.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 erlang-rabbitmq-client313-3.13.1-150600.13.8.1 as a component of openSUSE Leap 15.6 rabbitmq-server313-3.13.1-150600.13.8.1 as a component of openSUSE Leap 15.6 rabbitmq-server313-plugins-3.13.1-150600.13.8.1 as a component of openSUSE Leap 15.6 RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, recent versions will display an error message (a notification) in the management UI. The error message includes virtual host name, which was not escaped prior to open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3, 3.13.8. An attack that both makes a virtual host fail to start and creates a new virtual host name with an XSS code snippet or changes the name of an existing virtual host on disk could trigger arbitrary JavaScript code execution in the management UI (the user's browser). Open source RabbitMQ `4.0.3` and Tanzu RabbitMQ `4.0.3` and `3.13.8` patch the issue. CVE-2025-30219 SUSE Linux Enterprise Module for Server Applications 15 SP6:erlang-rabbitmq-client313-3.13.1-150600.13.8.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:rabbitmq-server313-3.13.1-150600.13.8.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:rabbitmq-server313-plugins-3.13.1-150600.13.8.1 openSUSE Leap 15.6:erlang-rabbitmq-client313-3.13.1-150600.13.8.1 openSUSE Leap 15.6:rabbitmq-server313-3.13.1-150600.13.8.1 openSUSE Leap 15.6:rabbitmq-server313-plugins-3.13.1-150600.13.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251548-1/ https://www.suse.com/security/cve/CVE-2025-30219.html CVE-2025-30219 https://bugzilla.suse.com/1240071 SUSE Bug 1240071