QwikSec

Security Database

CVE

CWE

Training

CVE-2023-46120

Published: Oct 24, 2023

Modified: Sep 11, 2024

PUBLISHED

CVSS v3.1

4.9

MEDIUM

Description

The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.

Vendor	Product	Versions
rabbitmq	rabbitmq-java-client	affected `< 5.18.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/rabbitmq/rabbitmq-java-client/security/advisories/GHSA-mm8h-8587-p46h

x_refsource_CONFIRM

https://github.com/rabbitmq/rabbitmq-java-client/issues/1062

x_refsource_MISC

https://github.com/rabbitmq/rabbitmq-java-client/commit/714aae602dcae6cb4b53cadf009323ebac313cc8

x_refsource_MISC

https://github.com/rabbitmq/rabbitmq-java-client/releases/tag/v5.18.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.