GHSA-hrfh-7j5f-8ccr

Suggest an improvement
Source
https://github.com/advisories/GHSA-hrfh-7j5f-8ccr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hrfh-7j5f-8ccr/GHSA-hrfh-7j5f-8ccr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hrfh-7j5f-8ccr
Aliases
Published
2022-05-24T17:01:50Z
Modified
2023-11-08T04:01:00.723349Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Pivotal RabbitMQ is vulnerable to a denial of service attack
Details

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

References

Affected packages

Hex / RabbitMQ

Package

Name
RabbitMQ
Purl
pkg:hex/RabbitMQ

Affected ranges

Type
SEMVER
Events
Introduced
3.7.0
Fixed
3.7.21

Hex / RabbitMQ

Package

Name
RabbitMQ
Purl
pkg:hex/RabbitMQ

Affected ranges

Type
SEMVER
Events
Introduced
3.8.0
Fixed
3.8.1

Hex / RabbitMQ

Package

Name
RabbitMQ
Purl
pkg:hex/RabbitMQ

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.16.7

Hex / RabbitMQ

Package

Name
RabbitMQ
Purl
pkg:hex/RabbitMQ

Affected ranges

Type
SEMVER
Events
Introduced
1.17.0
Fixed
1.17.4