CVE-2015-8786
Description
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RabbitMQ Management plugin before 3.6.1 allows authenticated users to cause denial of service by providing large values for lengths_age or lengths_incr parameters.
Vulnerability
The RabbitMQ Management plugin before version 3.6.1 does not validate the lengths_age and lengths_incr query parameters. Remote authenticated users with certain privileges can supply excessively large values for these parameters, leading to resource consumption. Affected versions include all RabbitMQ releases prior to 3.6.1 [1]. Red Hat distributions (OpenStack 5 and 7) shipped with vulnerable versions [3][4].
Exploitation
An attacker must have valid credentials and the necessary privileges to access the management plugin's HTTP API. By crafting requests with large numeric values for lengths_age or lengths_incr, the attacker can trigger excessive resource allocation on the server. No additional user interaction is required beyond the authenticated request [2].
Impact
Successful exploitation results in a denial of service (DoS) due to resource exhaustion. The server may become unresponsive or crash, disrupting messaging operations. The vulnerability does not lead to data disclosure or privilege escalation; the impact is limited to availability [3][4].
Mitigation
The fix was released in RabbitMQ version 3.6.1 [1]. Users should upgrade to 3.6.1 or later. For Red Hat OpenStack deployments, updated packages (rabbitmq-server-3.3.5-31.el7ost) are available via RHSA-2017-0530 and RHSA-2017-0532 [3][4]. No workarounds are documented; upgrading is the recommended mitigation.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- cpe:2.3:a:pivotal_software:rabbitmq:3.6.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
- Range: <3.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlnvdPatchThird Party Advisory
- github.com/rabbitmq/rabbitmq-management/issues/97nvdIssue TrackingPatch
- github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_1nvdIssue TrackingPatch
- www.securityfocus.com/bid/91508nvdThird Party AdvisoryVDB Entry
- rhn.redhat.com/errata/RHSA-2017-0226.htmlnvd
- rhn.redhat.com/errata/RHSA-2017-0530.htmlnvd
- rhn.redhat.com/errata/RHSA-2017-0531.htmlnvd
- rhn.redhat.com/errata/RHSA-2017-0532.htmlnvd
- rhn.redhat.com/errata/RHSA-2017-0533.htmlnvd
News mentions
0No linked articles in our index yet.