Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| RabbitMQ(Hex) | 3.7.0 | 3.7.21 | N/A |
| RabbitMQ(Hex) | 3.8.0 | 3.8.1 | N/A |
| RabbitMQ(Hex) | 0 | 1.16.7 | N/A |
| RabbitMQ(Hex) | 1.17.0 | 1.17.4 | N/A |
CVSS Metrics
