Lucene search

GoogleOSV:GHSA-HRFH-7J5F-8CCR

HistoryMay 24, 2022 - 5:01 p.m.

Pivotal RabbitMQ is vulnerable to a denial of service attack

2022-05-2417:01:50

Google

osv.dev

0.451 Medium

EPSS

Percentile

97.4%

JSON

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The “X-Reason” HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

CPENameOperatorVersion
rabbitmqge3.8.0
rabbitmqlt3.8.1
rabbitmqlt1.16.7
rabbitmqlt1.17.4
rabbitmqlt3.7.21
rabbitmqge3.7.0
rabbitmqge1.17.0

Name	Operator	Version
rabbitmq	ge	3.8.0
rabbitmq	lt	3.8.1
rabbitmq	lt	1.16.7
rabbitmq	lt	1.17.4
rabbitmq	lt	3.7.21
rabbitmq	ge	3.7.0
rabbitmq	ge	1.17.0

References

access.redhat.com/errata/RHSA-2020:0078

github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin

github.com/rabbitmq/rabbitmq-server

lists.debian.org/debian-lts-announce/2021/07/msg00011.html

lists.fedoraproject.org/archives/list/[email protected]/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO

lists.fedoraproject.org/archives/list/[email protected]/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4

nvd.nist.gov/vuln/detail/CVE-2019-11287

pivotal.io/security/cve-2019-11287

0.451 Medium

EPSS

Percentile

97.4%

JSON

Related for OSV:GHSA-HRFH-7J5F-8CCR