Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-46118

Published: 25 October 2023

RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.

Priority

Medium

Cvss 3 Severity Score

4.9

Score breakdown

Status

Package Release Status
rabbitmq-server
Launchpad, Ubuntu, Debian 		bionic Needs triage

focal
Released (3.8.2-0ubuntu1.5)
jammy
Released (3.9.13-1ubuntu0.22.04.2)
lunar
Released (3.10.8-1.1ubuntu0.1)
mantic
Released (3.12.1-1ubuntu0.1)
noble
Released (3.12.1-1ubuntu1)
trusty Ignored
(end of standard support)
upstream
Released (3.11.24,3.12.7)
xenial Needs triage

Patches:
upstream: https://github.com/rabbitmq/rabbitmq-server/pull/9709
upstream: https://github.com/rabbitmq/rabbitmq-server/commit/0de73e5f3fef07bef8299d19faa89cc4fc01219f
upstream: https://github.com/rabbitmq/rabbitmq-server/commit/6d8a4ead2cbddfba33e178b3cafa1d550819d589
upstream: https://github.com/rabbitmq/rabbitmq-server/commit/e6eb78b48072e159c243edb26cd671cf0451e2a1
upstream: https://github.com/rabbitmq/rabbitmq-server/pull/9710
upstream: https://github.com/rabbitmq/rabbitmq-server/commit/8c25a89582840f3e2d5f4ba14b29193df4dad639
upstream: https://github.com/rabbitmq/rabbitmq-server/commit/e68b879823628d71d4f0e7c73f1a6229c82e945e
upstream: https://github.com/rabbitmq/rabbitmq-server/commit/e64f1cfe8e182d2d659a5a9193cf4cfc9c44b018

Severity score breakdown

Parameter Value
Base score 4.9
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading