GHSA-v9gv-xp36-jgj8MediumCVSS 5.5
RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins
🔗 CVE IDs covered (1)
📋 Description
Impact
Shovel and Federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret.
This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log.
Patched versions correctly use a cluster-wide secret for that purpose.
Patches
Patched versions:
3.10.23.9.183.8.32
Workarounds
Disable Shovel and Federation plugins.
Credits
RabbitMQ core team would like to thank Lajos @luos Gerecs and Anh Nguyen from Erlang Solutions for responsibly disclosing and working with us on a patch for this vulnerability.
For more information
🎯 Affected products3
- erlang/rabbit_common:>= 3.10.0, < 3.10.2
- erlang/rabbit_common:>= 3.9.0, < 3.9.18
- erlang/rabbit_common:>= 3.8.0, < 3.8.32
🔗 References (5)
- https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8
- https://nvd.nist.gov/vuln/detail/CVE-2022-31008
- https://github.com/rabbitmq/rabbitmq-server/pull/4841
- https://github.com/rabbitmq/rabbitmq-server/commit/c22e1cb20e656d211e025c417d1fc75a9067b717
- https://github.com/advisories/GHSA-v9gv-xp36-jgj8