MEDIUM 4.9

GHSA-w6cq-9cf4-gqpg

RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API

상세

### Summary

Responsibly disclosed by @NSEcho.

HTTP API did not enforce an HTTP request body limit, making it vulnerable for DoS attacks with very large messages.

### Details

An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism.

A PoC was provided to Team RabbitMQ privately.

### Impact

Denial of Service

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Hex / rabbit_common

최초 영향 버전: 3.12.0 수정 버전: 3.12.7

수정 mix deps.update rabbit_common

Hex / rabbit_common

최초 영향 버전: 3.11.0 수정 버전: 3.11.24

수정 mix deps.update rabbit_common

참고

https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2023-46118 [ADVISORY]
https://github.com/rabbitmq/rabbitmq-server [PACKAGE]
https://lists.debian.org/debian-lts-announce/2023/12/msg00009.html [WEB]
https://www.debian.org/security/2023/dsa-5571 [WEB]