CVE-2019-11287: RabbitMQ Web Management Plugin DoS via heap overflow
Medium
Pivotal
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack.
The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Severity is medium unless otherwise noted.
-
RabbitMQ
- 3.7 versions prior to v3.7.21
- 3.8 versions prior to v3.8.1
-
RabbitMQ for Pivotal Platform
- 1.16 versions prior to 1.16.7
- 1.17 versions prior to 1.17.4
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
RabbitMQ
- v3.7.21
- v3.8.1
-
RabbitMQ for Pivotal Platform
- 1.16.7
- 1.17.4
This issue was responsibly reported by Matei "Mal" Badanoiu.
2019-11-22: Initial vulnerability report published.