Your submission was sent successfully! Close

CVE-2019-11287

Published: 23 November 2019

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
rabbitmq-server
Launchpad, Ubuntu, Debian
bionic
Released (3.6.10-1ubuntu0.5)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(3.8.2-0ubuntu1.1)
groovy Not vulnerable
(3.8.5-1)
hirsute Not vulnerable
(3.8.9-1)
impish Not vulnerable
(3.8.9-1)
jammy Not vulnerable
(3.8.9-1)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial
Released (3.5.7-1ubuntu0.16.04.4+esm1)
Patches:
upstream: https://github.com/rabbitmq/rabbitmq-server/pull/2155