A medium-severity vulnerability in RabbitMQ messaging and streaming broker affects versions from 3.7.0 through 4.1.1 and 4.0.12. The issue, classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), has been addressed in versions 4.1.2 and 4.0.13. The CVSS 4.0 vector indicates network attack vector with high attack complexity, requiring high privileges and user interaction, [truncated]
A regex injection vulnerability in RabbitMQ's MQTT plugin allows authenticated users to bypass topic-level authorization controls. The flaw exists in versions 4.2.0 through 4.2.3, where user-supplied client_id values from MQTT CONNECT packets are substituted into authorization regex patterns without proper escaping of special regex characters. An attacker can craft a malicious client_id containing regex m [truncated]
