CVE-2019-11287 — Pivotal RabbitMQ is vulnerable to a denial of service attack

Description

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

How to fix CVE-2019-11287

To remediate CVE-2019-11287, upgrade the affected package to a fixed version below.

—upgrade to 3.8.3-1 or later
—upgrade to 3.7.21 or later

Is CVE-2019-11287 being exploited?

Low — EPSS is 4.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.8.3-1
>= 3.7.0, < 3.7.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-11287
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-11287
PATCHgithub.com/rabbitmq/rabbitmq-server
WEBaccess.redhat.com/errata/RHSA-2020:0078