Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-31008

Опубликовано: 05 окт. 2022
Источник: redhat
CVSS3: 7.5

Описание

RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: 3.10.2, 3.9.18, 3.8.32 are available. Users unable to upgrade should disable the Shovel and Federation plugins.

A flaw was found in RabbitMQ. The shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. In certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenStack Platform 13 (Queens)rabbitmq-serverOut of support scope
Red Hat OpenStack Platform 16.1rabbitmq-serverNot affected
Red Hat OpenStack Platform 16.2rabbitmq-serverNot affected
Red Hat OpenStack Platform 17.0rabbitmq-serverNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-337
https://bugzilla.redhat.com/show_bug.cgi?id=2141397rabbitmq-server: URI encryption with predictable secret seed

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-31008

CVSS3: 5.5
ubuntu
больше 3 лет назад

RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.

nvd логотип

CVE-2022-31008

CVSS3: 5.5
nvd
больше 3 лет назад

RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.

debian логотип

CVE-2022-31008

CVSS3: 5.5
debian
больше 3 лет назад

RabbitMQ is a multi-protocol messaging and streaming broker. In affect ...

suse-cvrf логотип

SUSE-SU-2022:4378-1

suse-cvrf
около 3 лет назад

Security update for rabbitmq-server

suse-cvrf логотип

SUSE-FU-2024:2078-1

suse-cvrf
больше 1 года назад

Feature update for rabbitmq-server313, erlang26, elixir115

7.5 High

CVSS3