CVE-2022-31008
Last modified
CVE-2022-31008 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. EPSS estimates a 0.31% chance of exploitation in the next 30 days.
Description
RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Broadcom | Rabbitmq Server | >= 3.9.0, < 3.9.18 |
| Broadcom | Rabbitmq Server | >= 3.10.0, < 3.10.2 |
| Vmware | Rabbitmq | < 3.8.32 |
References
- https://github.com/rabbitmq/rabbitmq-server/pull/4841Patch, Third Party Advisory
- https://github.com/rabbitmq/rabbitmq-server/pull/4841Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-31008?
How severe is CVE-2022-31008?
How do I fix CVE-2022-31008?
Are you affected by CVE-2022-31008?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST