CVE-2019-11287
23.11.2019, 00:15
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.Enginsight
| Vendor | Product | Version |
|---|---|---|
| broadcom | rabbitmq_server | 3.8.0 ≤ 𝑥 < 3.8.1 |
| pivotal_software | rabbitmq | 1.16.0 ≤ 𝑥 < 1.16.7 |
| pivotal_software | rabbitmq | 1.17.0 ≤ 𝑥 < 1.17.4 |
| pivotal_software | rabbitmq | 3.7.0 ≤ 𝑥 < 3.7.21 |
| debian | debian_linux | 9.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-134 - Use of Externally-Controlled Format StringThe software uses a function that accepts a format string as an argument, but the format string originates from an external source.
References