CVE-2019-11287

Published: 23 November 2019

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
rabbitmq-server
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Not vulnerable
(3.8.9-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(3.8.9-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.8.2-0ubuntu1.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.6.10-1ubuntu0.5)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.7-1ubuntu0.16.04.4+esm1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/rabbitmq/rabbitmq-server/pull/2155