Описание
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| rabbitmq-server | fixed | 4.0.5-9 | package | |
| rabbitmq-server | fixed | 4.0.5-6+deb13u2 | trixie | package |
| rabbitmq-server | not-affected | bookworm | package | |
| rabbitmq-server | not-affected | bullseye | package |
Примечания
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-gh3x-4x42-fvq8
Fixed by https://github.com/rabbitmq/rabbitmq-server/pull/13612
Introduced with: https://github.com/rabbitmq/rabbitmq-server/commit/383ddb16341200f63091e2dd8bb7c0c6346e3ef7 (v4.1.0-alpha)
Introduced with (backport): https://github.com/rabbitmq/rabbitmq-server/commit/a4465d7a728a41dba125c6c0553f124b45dbb6bd (v3.13.2-rc.1)
Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/0a7c86b4807619b1ab52c18f091752d4f711d5b1 (v4.2.0-beta.1)
EPSS
Связанные уязвимости
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
RabbitMQ Node can log Basic Auth header from an HTTP request
EPSS