CVE-2023-46118

RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
VendorProductVersion
vmwarerabbitmq
𝑥
< 3.11.24
vmwarerabbitmq
3.12.0 ≤
𝑥
< 3.12.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rabbitmq-server
bullseye (security)
3.8.9-3+deb11u1
fixed
bullseye
3.8.9-3+deb11u1
fixed
bookworm
3.10.8-1.1+deb12u1
fixed
bookworm (security)
3.10.8-1.1+deb12u1
fixed
trixie
3.10.8-4
fixed
sid
4.0.5-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rabbitmq-server
oracular
Fixed 3.12.1-1ubuntu1
released
noble
Fixed 3.12.1-1ubuntu1
released
mantic
Fixed 3.12.1-1ubuntu0.1
released
lunar
Fixed 3.10.8-1.1ubuntu0.1
released
jammy
Fixed 3.9.13-1ubuntu0.22.04.2
released
focal
Fixed 3.8.2-0ubuntu1.5
released
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg
https://lists.debian.org/debian-lts-announce/2023/12/msg00009.html
https://www.debian.org/security/2023/dsa-5571
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg
https://lists.debian.org/debian-lts-announce/2023/12/msg00009.html
https://www.debian.org/security/2023/dsa-5571