CVE-2019-11287

NameCVE-2019-11287
DescriptionPivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2710-1
NVD severitymedium
Debian Bugs945600

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rabbitmq-server (PTS)stretch3.6.6-1vulnerable
stretch (security)3.6.6-1+deb9u2fixed
buster3.7.8-4vulnerable
bullseye3.8.9-3fixed
bookworm, sid3.9.4-1.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rabbitmq-serversourcestretch3.6.6-1+deb9u1DLA-2710-1
rabbitmq-serversource(unstable)3.8.3-1945600

Notes

[buster] - rabbitmq-server <no-dsa> (Minor issue)
[jessie] - rabbitmq-server <postponed> (Minor issue)
https://pivotal.io/security/cve-2019-11287

Search for package or bug name: Reporting problems