Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-31008

RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.

Published

2022-10-06T18:16:00.783

Last Modified

2025-04-02T14:13:43.180

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-330
Type: Primary
CWE-335

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	broadcom	rabbitmq_server	< 3.9.18	Yes
Application	broadcom	rabbitmq_server	< 3.10.2	Yes
Application	vmware	rabbitmq	< 3.8.32	Yes

References

https://github.com/rabbitmq/rabbitmq-server/pull/4841 Patch, Third Party Advisory ([email protected])
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8 Third Party Advisory ([email protected])
https://github.com/rabbitmq/rabbitmq-server/pull/4841 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)