CVE-2019-11287

Summary

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Affected Software

VendorProductVersion RangeStatus
PivotalRabbitMQ for Pivotal Platform1.16 < 1.16.7affected
PivotalRabbitMQ for Pivotal Platform1.17 < 1.17.4affected
PivotalRabbitMQ3.7 < v3.7.21affected
PivotalRabbitMQ3.8 < v3.8.1affected

Weaknesses

  • CWE-400: CWE-400: Denial of Service

ADP Enrichment

CVE Program Container

Additional References

References