rabbitmq-server is vulnerable to denial of service. The vulnerability exists due to the lack of sanitizating the “X-Reason” HTTP Header which can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
access.redhat.com/errata/RHSA-2020:0078
git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2019-11287
github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin
lists.debian.org/debian-lts-announce/2021/07/msg00011.html
lists.fedoraproject.org/archives/list/[email protected]/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/
lists.fedoraproject.org/archives/list/[email protected]/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/
pivotal.io/security/cve-2019-11287