CVE-2023-46120 MEDIUM

CVE-2023-46120: RabbitMQ Java client's lack of message size limitation leads to remote DoS attack

Vendor Rabbitmq

Product rabbitmq-java-client

Weakness CWE-400

Published October 24, 2023

Last update September 11, 2024

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.

Key dates

Disclosure timeline

October 24, 2023 CVE published

September 11, 2024 Record updated