CVE-2019-11287 Information

Feb 14, 2021 cve

Description

Pivotal RabbitMQ versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1 and RabbitMQ for Pivotal Platform 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4 contain a web management plugin that is vulnerable to a denial of service attack. The \X-Reason\ HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap resulting in the server crashing.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

https://access.redhat.com/errata/RHSA-2020:0078 https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS20via20Heap20Overflow-RabbitMQ20Web20Management20Plugin https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/ https://pivotal.io/security/cve-2019-11287

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5

Share on: