RabbitMQ management endpoint '/api/index.html' and '/cli/index.html' flagged as vulnerable due to Unauthentication
search cancel

RabbitMQ management endpoint '/api/index.html' and '/cli/index.html' flagged as vulnerable due to Unauthentication

book

Article ID: 392752

calendar_today

Updated On: 04-01-2025

Products

VMware Tanzu Platform

Issue/Introduction

The RabbitMQ management endpoints:

https://<pivotal-rmq.sys.domain>/api/index.html

https://<pivotal-rmq.sys.domain>/cli/index.html

does not require authentication, this was by design on older versions of RabbitMQ.

if you open this page it contains documentation, the content is the same as the link below which is available publicly:

https://rawcdn.githack.com/rabbitmq/rabbitmq-server/v4.0.7/deps/rabbitmq_management/priv/www/api/index.html

https://rawcdn.githack.com/rabbitmq/rabbitmq-server/v4.0.7/deps/rabbitmq_management/priv/www/cli/index.html

 

If you use other api endpoints that exposes critical info on RMQ components or non-documentation endpoints such as

http://<pivotal-rmq.sys.domain>/api/vhosts

http://<pivotal-rmq.sys.domain>/api/channels?sort=message_stats.publish_details.rate&sort_reverse=true&columns=name,message_stats.publish_details.rate,message_stats.deliver_get_details.rate

you will be prompted or needing a username and password. 

If your security scan report is failing for the '/api/index.html' and '/cli/index.html' and you need this to be addressed this KB will discuss how.

Resolution

As of the time of writing this KB, the current version for OSS RabbitMQ is 3.13.9. A feature request of authenticating '/api/index.html' and '/cli/index.html' will be included in upcoming next OSS RabbitMQ v3.13.x version which is LTS version of OSS RabbitMQ v3.13.10. 

Upgrade to OSS RabbitMQ v3.13.10 or later.

 

Powered by Wolken Software