Your submission was sent successfully! Close

CVE-2021-22116

Published: 8 June 2021

RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled.

Notes

AuthorNote
leosilva
code affected in bionic is in deps/rabbitmq_amqp1_0/src/rabbit_amqp1_0_binary_parser.erl
in xenial in plugins-src/rabbitmq-amqp1.0/src/rabbit_amqp1_0_binary_parser.erl.
Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
rabbitmq-server
Launchpad, Ubuntu, Debian
bionic
Released (3.6.10-1ubuntu0.5)
focal
Released (3.8.2-0ubuntu1.3)
groovy
Released (3.8.5-1ubuntu0.2)
hirsute
Released (3.8.9-2ubuntu0.1)
impish
Released (3.8.9-3ubuntu1)
jammy
Released (3.8.9-3ubuntu1)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial
Released (3.5.7-1ubuntu0.16.04.4+esm1)
Patches:
upstream: https://github.com/rabbitmq/rabbitmq-server/commit/626d5219115d087a2695c0eb243c7ddb7e154563