First published: Tue Oct 24 2023(Updated: )
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/rabbitmq-server | <=3.7.8-4<=3.8.9-3 | 3.8.2-1+deb10u2 3.8.9-3+deb11u1 3.10.8-1.1+deb12u1 3.10.8-3 |
<3.11.24 | ||
>=3.12.0<3.12.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this RabbitMQ vulnerability is CVE-2023-46118.
The severity of the CVE-2023-46118 vulnerability is medium with a severity value of 4.9.
The affected software for the CVE-2023-46118 vulnerability is VMware RabbitMQ versions 3.11.24 to 3.12.7.
This vulnerability allows an authenticated user with sufficient credentials to publish very large messages over the HTTP API, leading to denial of service (DoS) attacks.
Yes, the fix for the CVE-2023-46118 vulnerability is provided by upgrading to a version of VMware RabbitMQ that is not affected, such as version 3.12.8 or later.