Описание
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
A flaw was found in rabbitmq-server. RabbitMQ encode authorization headers in plaintext and log them when queried via HTTP/s with basic authentication. This results in sensitive information, including authentication credentials, being stored in log files. A malicious actor can potentially retrieve these credentials by accessing the RabbitMQ logs. This exposure can lead to unauthorized access to the RabbitMQ system.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenStack Platform 16.2 | rabbitmq-server | Out of support scope | ||
| Red Hat OpenStack Platform 17.1 | rabbitmq-server | Out of support scope | ||
| Red Hat OpenStack Platform 18.0 | rabbitmq-server | Fix deferred |
Показывать по
Дополнительная информация
Статус:
4.4 Medium
CVSS3
Связанные уязвимости
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
RabbitMQ Node can log Basic Auth header from an HTTP request
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and p ...
4.4 Medium
CVSS3