CVE-2023-46118

MEDIUM

RabbitMQ < 3.11.24 - Authenticated Denial of Service via HTTP API Large Message

Title source: llm

Description

RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2023/12/msg00009.html

Third Party Advisory

https://www.debian.org/security/2023/dsa-5571

Vendor Advisory x_refsource_confirm

https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg

Scores

CVSS v3 4.9

EPSS 0.0030

EPSS Percentile 53.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-400

Status published

Products (1)

vmware/rabbitmq < 3.11.24

Published Oct 25, 2023

Tracked Since Feb 18, 2026