Unrated severityNVD Advisory· Published Oct 24, 2023· Updated Feb 13, 2025

Denial of Service by publishing large messages over the HTTP API

CVE-2023-46118

Description

RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.

Affected products

osv-coords11 versions
pkg:bitnami/rabbitmq pkg:rpm/opensuse/elixir115&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/erlang26&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/rabbitmq-server313&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/rabbitmq-server&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/rabbitmq-server&distro=openSUSE%20Leap%2015.5 pkg:rpm/suse/elixir115&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6 pkg:rpm/suse/erlang26&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6 pkg:rpm/suse/rabbitmq-server313&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6 pkg:rpm/suse/rabbitmq-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4 pkg:rpm/suse/rabbitmq-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5
< 3.11.24+ 10 more
- (no CPE)range: < 3.11.24
- (no CPE)range: < 1.15.7-150300.7.5.1
- (no CPE)range: < 26.2.1-150300.7.5.1
- (no CPE)range: < 3.13.1-150600.13.5.3
- (no CPE)range: < 3.8.11-150300.3.14.1
- (no CPE)range: < 3.8.11-150300.3.14.1
- (no CPE)range: < 1.15.7-150300.7.5.1
- (no CPE)range: < 26.2.1-150300.7.5.1
- (no CPE)range: < 3.13.1-150600.13.5.3
- (no CPE)range: < 3.8.11-150300.3.14.1
- (no CPE)range: < 3.8.11-150300.3.14.1
Rabbitmq/Rabbitmq Servercpe-rescue
Range: < 3.12.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpgmitrex_refsource_CONFIRM
lists.debian.org/debian-lts-announce/2023/12/msg00009.htmlmitre
www.debian.org/security/2023/dsa-5571mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000