Vulnerability Description
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Rabbitmq | < 3.11.24 |
Related Weaknesses (CWE)
References
- https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/12/msg00009.html
- https://www.debian.org/security/2023/dsa-5571
- https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/12/msg00009.html
- https://www.debian.org/security/2023/dsa-5571
FAQ
What is CVE-2023-46118?
CVE-2023-46118 is a vulnerability with a CVSS score of 4.9 (MEDIUM). RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An ...
How severe is CVE-2023-46118?
CVE-2023-46118 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-46118?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Rabbitmq.