CVE-2023-46118

EUVD-2023-50377
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
vmwarerabbitmq
𝑥
< 3.11.24
vmwarerabbitmq
3.12.0 ≤
𝑥
< 3.12.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rabbitmq-server
bookworm
3.10.8-1.1+deb12u1
fixed
bookworm (security)
3.10.8-1.1+deb12u1
fixed
bullseye
3.8.9-3+deb11u1
fixed
bullseye (security)
3.8.9-3+deb11u1
fixed
sid
4.0.5-1
fixed
trixie
3.10.8-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rabbitmq-server
bionic
needs-triage
focal
Fixed 3.8.2-0ubuntu1.5
released
jammy
Fixed 3.9.13-1ubuntu0.22.04.2
released
lunar
Fixed 3.10.8-1.1ubuntu0.1
released
mantic
Fixed 3.12.1-1ubuntu0.1
released
noble
Fixed 3.12.1-1ubuntu1
released
oracular
Fixed 3.12.1-1ubuntu1
released
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg
https://lists.debian.org/debian-lts-announce/2023/12/msg00009.html
https://www.debian.org/security/2023/dsa-5571
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg
https://lists.debian.org/debian-lts-announce/2023/12/msg00009.html
https://www.debian.org/security/2023/dsa-5571