Rabbitmq
Products
3- 15 CVEs
- 1 CVE
- 0 CVEs
Recent CVEs
16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-0929 | Hig | 0.49 | 7.5 | 0.01 | Sep 18, 2016 | The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that… | ||
| CVE-2026-44838 | Hig | 0.46 | 8.1 | 0.00 | May 27, 2026 | RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{client_id}-sensors$ to restrict user access to… | ||
| CVE-2015-8786 | Med | 0.43 | 6.5 | 0.04 | Dec 9, 2016 | The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter. | ||
| CVE-2024-51988 | Med | 0.42 | 6.5 | 0.00 | Nov 6, 2024 | RabbitMQ is a feature rich, multi-protocol messaging and streaming broker. In affected versions queue deletion via the HTTP API was not verifying the `configure` permission of the user. Users who had all of the following: 1. Valid credentials, 2. Some permissions for the target… | ||
| CVE-2025-30219 | Med | 0.33 | 6.1 | 0.00 | Mar 25, 2025 | RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in… | ||
| CVE-2026-44839 | Med | 0.24 | 4.8 | 0.00 | May 27, 2026 | RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13. | ||
| CVE-2025-50200 | 0.00 | — | 0.00 | Jun 19, 2025 | RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including… | |||
| CVE-2023-46118 | 0.00 | — | 0.01 | Oct 24, 2023 | RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large… | |||
| CVE-2023-46120 | 0.00 | — | 0.01 | Oct 24, 2023 | The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error.… | |||
| CVE-2022-31008 | 0.00 | — | 0.00 | Oct 6, 2022 | RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of… | |||
| CVE-2021-32719 | 0.00 | — | 0.01 | Jun 28, 2021 | RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper tag sanitization.… | |||
| CVE-2021-32718 | 0.00 | — | 0.01 | Jun 28, 2021 | RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper `` tag sanitization, potentially allowing for… | |||
| CVE-2020-35196 | 0.00 | — | 0.02 | Dec 17, 2020 | The official rabbitmq docker images before 3.7.13-beta.1-management-alpine (Alpine specific) contain a blank password for a root user. System using the rabbitmq docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access… | |||
| CVE-2014-9650 | 0.00 | — | 0.03 | Jan 27, 2015 | CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions. | |||
| CVE-2014-9649 | 0.00 | — | 0.02 | Jan 27, 2015 | Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message. | |||
| CVE-2014-9494 | 0.00 | — | 0.01 | Jan 20, 2015 | RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header. |
- risk 0.49cvss 7.5epss 0.01
The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that…
- risk 0.46cvss 8.1epss 0.00
RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{client_id}-sensors$ to restrict user access to…
- risk 0.43cvss 6.5epss 0.04
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
- risk 0.42cvss 6.5epss 0.00
RabbitMQ is a feature rich, multi-protocol messaging and streaming broker. In affected versions queue deletion via the HTTP API was not verifying the `configure` permission of the user. Users who had all of the following: 1. Valid credentials, 2. Some permissions for the target…
- risk 0.33cvss 6.1epss 0.00
RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in…
- risk 0.24cvss 4.8epss 0.00
RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.
- CVE-2025-50200Jun 19, 2025risk 0.00cvss —epss 0.00
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including…
- CVE-2023-46118Oct 24, 2023risk 0.00cvss —epss 0.01
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large…
- CVE-2023-46120Oct 24, 2023risk 0.00cvss —epss 0.01
The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error.…
- CVE-2022-31008Oct 6, 2022risk 0.00cvss —epss 0.00
RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of…
- CVE-2021-32719Jun 28, 2021risk 0.00cvss —epss 0.01
RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper tag sanitization.…
- CVE-2021-32718Jun 28, 2021risk 0.00cvss —epss 0.01
RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper `` tag sanitization, potentially allowing for…
- CVE-2020-35196Dec 17, 2020risk 0.00cvss —epss 0.02
The official rabbitmq docker images before 3.7.13-beta.1-management-alpine (Alpine specific) contain a blank password for a root user. System using the rabbitmq docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access…
- CVE-2014-9650Jan 27, 2015risk 0.00cvss —epss 0.03
CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions.
- CVE-2014-9649Jan 27, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message.
- CVE-2014-9494Jan 20, 2015risk 0.00cvss —epss 0.01
RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header.