Use of insufficiently random values in RabbitMQ Server - CVE-2022-31008

 

Use of insufficiently random values in RabbitMQ Server - CVE-2022-31008

Published: November 13, 2022


Vulnerability identifier: #VU69263
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-31008
CWE-ID: CWE-330
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: VMware, Inc
Affected software:
RabbitMQ Server

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exist due to insufficient randomization in Shovel and Federation plugins when obfuscating URI. The encryption key used to encrypt the URI was seeded with a predictable secret. A remote attacker can gain access to sensitive information.


How to mitigate CVE-2022-31008

Install updates from vendor's website.

Sources