Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocmZoLTdqNWYtOGNjcs4AAiwj
Pivotal RabbitMQ is vulnerable to a denial of service attack
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Permalink: https://github.com/advisories/GHSA-hrfh-7j5f-8ccrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocmZoLTdqNWYtOGNjcs4AAiwj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-hrfh-7j5f-8ccr, CVE-2019-11287
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-11287
- https://access.redhat.com/errata/RHSA-2020:0078
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin
- https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/
- https://pivotal.io/security/cve-2019-11287
- https://github.com/advisories/GHSA-hrfh-7j5f-8ccr
Blast Radius: 1.0
Affected Packages
hex:RabbitMQ
Affected Version Ranges: >= 1.17.0, < 1.17.4, < 1.16.7, >= 3.8.0, < 3.8.1, >= 3.7.0, < 3.7.21Fixed in: 1.17.4, 1.16.7, 3.8.1, 3.7.21