CVE-2019-11287
Published: 23 November 2019
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
rabbitmq-server Launchpad, Ubuntu, Debian |
bionic |
Released
(3.6.10-1ubuntu0.5)
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Not vulnerable
(3.8.2-0ubuntu1.1)
|
|
| groovy |
Not vulnerable
(3.8.5-1)
|
|
| hirsute |
Not vulnerable
(3.8.9-1)
|
|
| impish |
Not vulnerable
(3.8.9-1)
|
|
| jammy |
Not vulnerable
(3.8.9-1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(3.5.7-1ubuntu0.16.04.4+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: https://github.com/rabbitmq/rabbitmq-server/pull/2155 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |