CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Affected

24 ranges

Vendor	Product	Version range	Fixed in
broadcom	rabbitmq_server	>= 3.8.0 < 3.8.1	3.8.1
debian	debian_linux	—	—
debian	rabbitmq-server	< rabbitmq-server 3.8.3-1 (bookworm)	rabbitmq-server 3.8.3-1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
pivotal	rabbitmq	>= 3.7 < v3.7.21	v3.7.21
pivotal	rabbitmq	>= 3.8 < v3.8.1	v3.8.1
pivotal	rabbitmq_for_pivotal_platform	>= 1.16 < 1.16.7	1.16.7
pivotal	rabbitmq_for_pivotal_platform	>= 1.17 < 1.17.4	1.17.4
pivotal_software	rabbitmq	>= 0 < 1.16.7	1.16.7
pivotal_software	rabbitmq	>= 1.16.0 < 1.16.7	1.16.7
pivotal_software	rabbitmq	>= 1.17.0 < 1.17.4	1.17.4
pivotal_software	rabbitmq	>= 1.17.0 < 1.17.4	1.17.4
pivotal_software	rabbitmq	>= 3.7.0 < 3.7.21	3.7.21
pivotal_software	rabbitmq	>= 3.7.0 < 3.7.21	3.7.21
pivotal_software	rabbitmq	>= 3.8.0 < 3.8.1	3.8.1
rabbitmq	rabbitmq-server	>= 0 < 3.8.3-1	3.8.3-1
rabbitmq	rabbitmq-server	>= 0 < 3.8.3-1	3.8.3-1
rabbitmq	rabbitmq-server	>= 0 < 3.8.3-1	3.8.3-1
rabbitmq	rabbitmq-server	>= 0 < 3.8.3-1	3.8.3-1
rabbitmq	rabbitmq-server	>= 0 < 3.6.10-1ubuntu0.5	3.6.10-1ubuntu0.5
rabbitmq	rabbitmq-server	>= 0 < 3.8.2-0ubuntu1.3	3.8.2-0ubuntu1.3
rabbitmq	rabbitmq-server	>= 0 < 3.5.7-1ubuntu0.16.04.4+esm1	3.5.7-1ubuntu0.16.04.4+esm1
redhat	openstack	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv7.5HIGH