MEDIUM 4.9

GHSA-w6cq-9cf4-gqpg

RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API

Details

### Summary

Responsibly disclosed by @NSEcho.

HTTP API did not enforce an HTTP request body limit, making it vulnerable for DoS attacks with very large messages.

### Details

An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism.

A PoC was provided to Team RabbitMQ privately.

### Impact

Denial of Service

Are you affected?

Enter the version of the package you're using.

Affected packages

Hex / rabbit_common

Introduced in: 3.12.0 Fixed in: 3.12.7

Fix mix deps.update rabbit_common

Hex / rabbit_common

Introduced in: 3.11.0 Fixed in: 3.11.24

Fix mix deps.update rabbit_common

References

https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2023-46118 [ADVISORY]
https://github.com/rabbitmq/rabbitmq-server [PACKAGE]
https://lists.debian.org/debian-lts-announce/2023/12/msg00009.html [WEB]
https://www.debian.org/security/2023/dsa-5571 [WEB]