{"containers": {"cna": {"affected": [{"product": "RabbitMQ", "vendor": "n/a", "versions": [{"status": "affected", "version": "RabbitMQ prior to version 3.8.16"}]}], "descriptions": [{"lang": "en", "value": "RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-19T19:06:20", "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://tanzu.vmware.com/security/cve-2021-22116"}, {"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vmware.com", "ID": "CVE-2021-22116", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RabbitMQ", "version": {"version_data": [{"version_value": "RabbitMQ prior to version 3.8.16"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://tanzu.vmware.com/security/cve-2021-22116", "refsource": "MISC", "url": "https://tanzu.vmware.com/security/cve-2021-22116"}, {"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:30:23.992Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tanzu.vmware.com/security/cve-2021-22116"}, {"name": "[debian-lts-announce] 20210719 [SECURITY] [DLA 2710-1] rabbitmq-server security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"}]}]}, "cveMetadata": {"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "cveId": "CVE-2021-22116", "datePublished": "2021-06-08T11:23:58", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:30:23.992Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "421A839D-BA8C-4273-A475-9FF0BF9687F6", "versionEndExcluding": "3.8.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled."}, {"lang": "es", "value": "RabbitMQ todas las versiones anteriores a 3.8.16 son propensas a una vulnerabilidad de denegaci\u00f3n de servicio debido a la comprobaci\u00f3n inapropiada de entradas en el endpoint de conexi\u00f3n del cliente AMQP versi\u00f3n 1.0. Un usuario malicioso puede explotar la vulnerabilidad mediante el envio de mensajes AMQP maliciosos a la instancia RabbitMQ de destino que tenga el plugin AMQP versi\u00f3n 1.0 habilitado"}], "id": "CVE-2021-22116", "lastModified": "2024-11-21T05:49:32.330", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-08T12:15:10.347", "references": [{"source": "security@vmware.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"}, {"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://tanzu.vmware.com/security/cve-2021-22116"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://tanzu.vmware.com/security/cve-2021-22116"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@vmware.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "rabbitmq-server: improper input validation may lead to DoS", "id": "1961638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1961638"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled.", "A flaw was found in rabbitmq-server, where insufficient input validation in the AMQP 1.0 client connection endpoint could allow a denial of service. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-22116", "package_state": [{"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Not affected", "package_name": "rabbitmq-server", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "impact": "low", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "impact": "low", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16", "fix_state": "Will not fix", "impact": "low", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 16 (Train)"}], "public_date": "2021-05-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-22116\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22116\nhttps://tanzu.vmware.com/security/cve-2021-22116"], "statement": "While Red Hat OpenStack Platform ships the affected rabbitmq-server package, RabbitMQ is not exposed outside the management network. As this network is tightly-regulated to OpenStack administrators, the risk for abuse is significantly reduced. Additionally, by default the affected plugin (AMQP 1.0) is not enabled. No update will be provided at this time for the RHOSP rabbitmq-server package.", "threat_severity": "Moderate"}

{}