Описание
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| rabbitmq-server | fixed | 4.0.5-9 | package | |
| rabbitmq-server | no-dsa | trixie | package | |
| rabbitmq-server | not-affected | bookworm | package | |
| rabbitmq-server | not-affected | bullseye | package |
Примечания
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-gh3x-4x42-fvq8
Fixed by https://github.com/rabbitmq/rabbitmq-server/pull/13612
Introduced with: https://github.com/rabbitmq/rabbitmq-server/commit/383ddb16341200f63091e2dd8bb7c0c6346e3ef7 (v4.1.0-alpha)
Introduced with (backport): https://github.com/rabbitmq/rabbitmq-server/commit/a4465d7a728a41dba125c6c0553f124b45dbb6bd (v3.13.2-rc.1)
Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/0a7c86b4807619b1ab52c18f091752d4f711d5b1 (v4.2.0-beta.1)
EPSS
Связанные уязвимости
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
EPSS