Headline
CVE-2023-35789: insecure password option · Issue #575 · alanxz/rabbitmq-c
An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments.
Hi,
the command line tools like amqp-publish and amqp-consume are insecure, since the username/password can be given as a command line parameter either with --password= or as part of the URL given with --url.
Passwords given as command line parameters are insecure, since they can be seen in the process list.
It should have alternative options to have the password read from a given file or pipe.
Related news
Red Hat Security Advisory 2023-7150-01 - An update for librabbitmq is now available for Red Hat Enterprise Linux 8.