Main Vulnerability Database Vulnerabilities #VU69263

Use of insufficiently random values in RabbitMQ Server - CVE-2022-31008

Published: November 13, 2022

Vulnerability identifier: #VU69263

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-31008

CWE-ID: CWE-330

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
RabbitMQ Server

Software vendor:
VMware, Inc

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exist due to insufficient randomization in Shovel and Federation plugins when obfuscating URI. The encryption key used to encrypt the URI was seeded with a predictable secret. A remote attacker can gain access to sensitive information.

Remediation

Install updates from vendor's website.

External links

https://github.com/rabbitmq/rabbitmq-server/pull/4841
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8

Use of insufficiently random values in RabbitMQ Server - CVE-2022-31008

Description

Remediation

External links

Please verify you're human