GHSA-w6cq-9cf4-gqpgMediumCVSS 4.9
RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API
🔗 CVE IDs covered (1)
📋 Description
Summary
Responsibly disclosed by @NSEcho.
HTTP API did not enforce an HTTP request body limit, making it vulnerable for DoS attacks with very large messages.
Details
An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism.
A PoC was provided to Team RabbitMQ privately.
Impact
Denial of Service
🎯 Affected products2
- erlang/rabbit_common:>= 3.12.0, < 3.12.7
- erlang/rabbit_common:>= 3.11.0, < 3.11.24