{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-31008", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T07:03:40.269Z", "dateReserved": "2022-05-18T00:00:00", "datePublished": "2022-10-06T00:00:00"}, "containers": {"cna": {"title": "Predictable credential obfuscation seed value used in rabbitmq-server", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins."}], "affected": [{"vendor": "rabbitmq", "product": "rabbitmq-server", "versions": [{"version": "< 3.8.32", "status": "affected"}, {"version": ">= 3.9.0, < 3.9.18", "status": "affected"}, {"version": ">= 3.10.0, < 3.10.2", "status": "affected"}]}], "references": [{"url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"}, {"url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-330: Use of Insufficiently Random Values", "cweId": "CWE-330"}]}], "source": {"advisory": "GHSA-v9gv-xp36-jgj8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.269Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8", "tags": ["x_transferred"]}, {"url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D84222E-FE12-4A6F-9FDF-8EC477F9D507", "versionEndExcluding": "3.9.18", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E1674E7-CC0A-43A0-AE45-BDC4355A70E4", "versionEndExcluding": "3.10.2", "versionStartIncluding": "3.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7ACC5FD-236D-4454-B306-C5C8F70FB5B7", "versionEndExcluding": "3.8.32", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins."}, {"lang": "es", "value": "RabbitMQ es un broker de mensajer\u00eda y streaming multiprotocolo. En versiones afectadas los plugins shovel y federation llevan a cabo una ofuscaci\u00f3n de URI en su estado de trabajador (enlace). La clave de cifrado usada para cifrar el URI fue sembrada con un secreto predecible. Esto significa que en caso de determinadas excepciones relacionadas con los plugins Shovel y Federation, podr\u00edan aparecer datos razonablemente f\u00e1ciles de des ofuscar en el registro del nodo. Las versiones parcheadas usan correctamente un secreto para todo el cl\u00faster a tal efecto. Este problema se ha solucionado y las versiones parcheadas: \"3.10.2\", \"3.9.18\", \"3.8.32\" est\u00e1n disponibles. Los usuarios que no puedan actualizar deber\u00e1n deshabilitar los plugins Shovel y Federation"}], "id": "CVE-2022-31008", "lastModified": "2025-04-02T14:13:43.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-06T18:16:00.783", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-335"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "rabbitmq-server: URI encryption with predictable secret seed", "id": "2141397", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141397"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-337", "details": ["RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.", "A flaw was found in RabbitMQ. The shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. In certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log."], "name": "CVE-2022-31008", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "package_name": "rabbitmq-server", "product_name": "Red Hat OpenStack Platform 17.0"}], "public_date": "2022-10-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-31008\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-31008\nhttps://github.com/rabbitmq/rabbitmq-server/pull/4841\nhttps://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"], "threat_severity": "Moderate"}