CVE-2019-11287

HIGH

Broadcom Rabbitmq Server < 3.8.1 - Denial of Service

Title source: rule

Description

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Exploits (1)

nomisec SUSPICIOUS

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2019-11287

View Code ZIP pw:eip

References (6)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0078

[Exploit, Third Party Advisory] https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin

[Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html

[Vendor Advisory] https://pivotal.io/security/cve-2019-11287

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/

Scores

CVSS v3 7.5

EPSS 0.0305

EPSS Percentile 86.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-134 CWE-400

Status published

Affected Products (8)

broadcom/rabbitmq_server < 3.8.1

pivotal_software/rabbitmq < 1.16.7

pivotal_software/rabbitmq < 3.7.21

fedoraproject/fedora

fedoraproject/fedora

redhat/openstack

debian/debian_linux

Hex/RabbitMQ < 3.7.21Hex

Timeline

Published Nov 23, 2019

Tracked Since Feb 18, 2026