Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-11287: CVE-2019-11287 | Security

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The “X-Reason” HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

CVE
Open in Source
#vulnerability#web#dos#vmware

All Vulnerability Reports

CVE-2019-11287: RabbitMQ Web Management Plugin DoS via heap overflow
Severity

Medium

Vendor

Pivotal

Description

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack.
The “X-Reason” HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • RabbitMQ

    • 3.7 versions prior to v3.7.21
    • 3.8 versions prior to v3.8.1

  • RabbitMQ for Pivotal Platform

    • 1.16 versions prior to 1.16.7
    • 1.17 versions prior to 1.17.4

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • RabbitMQ

    • v3.7.21
    • v3.8.1

  • RabbitMQ for Pivotal Platform

    • 1.16.7
    • 1.17.4

Credit

This issue was responsibly reported by Matei “Mal” Badanoiu.

References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11287

History

2019-11-22: Initial vulnerability report published.

Related news

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE