{"id":"CVE-2019-11287","details":"Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.","aliases":["GHSA-hrfh-7j5f-8ccr"],"modified":"2026-03-15T22:27:01.529120Z","published":"2019-11-23T00:15:10.683Z","related":["SUSE-SU-2022:3338-1","SUSE-SU-2022:3339-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2019-11287"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0078"},{"type":"EVIDENCE","url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rabbitmq/rabbitmq-server","events":[{"introduced":"967ffac80a454b24be03b00e623469cf2380ee89"},{"fixed":"ed70791a5e1c8ef14e7e53ad59503d68d9a45f90"},{"introduced":"29c4192f65e052072a18885af88376e223ff9731"},{"fixed":"d75eb86dae6fbdc79b5413eb577bf36d9f3a6c87"}],"database_specific":{"versions":[{"introduced":"3.8.0"},{"fixed":"3.8.1"},{"introduced":"3.7.0"},{"fixed":"3.7.21"}]}}],"versions":["v3.7.0","v3.7.1","v3.7.1-beta.1","v3.7.10","v3.7.10-rc.1","v3.7.10-rc.2","v3.7.10-rc.3","v3.7.10-rc.4","v3.7.11","v3.7.11-rc.1","v3.7.11-rc.2","v3.7.12","v3.7.12-rc.1","v3.7.12-rc.2","v3.7.13","v3.7.13-beta.1","v3.7.13-rc.1","v3.7.13-rc.2","v3.7.14","v3.7.14-rc.1","v3.7.14-rc.2","v3.7.15","v3.7.15-beta.1","v3.7.16","v3.7.16-beta.1","v3.7.16-rc.3","v3.7.16-rc.4","v3.7.17","v3.7.17-beta.1","v3.7.17-rc.1","v3.7.17-rc.2","v3.7.17-rc.3","v3.7.18","v3.7.18-beta.1","v3.7.18-rc.1","v3.7.19","v3.7.2","v3.7.20","v3.7.20-beta.1","v3.7.20-rc.1","v3.7.20-rc.2","v3.7.3","v3.7.3-rc.1","v3.7.3-rc.2","v3.7.4","v3.7.4-rc.1","v3.7.4-rc.2","v3.7.4-rc.3","v3.7.4-rc.4","v3.7.5","v3.7.5-beta.1","v3.7.5-beta.2","v3.7.5-beta.3","v3.7.5-rc.1","v3.7.6","v3.7.6-rc.1","v3.7.6-rc.2","v3.7.7","v3.7.7-beta.1","v3.7.7-beta.2","v3.7.7-rc.1","v3.7.7-rc.2","v3.7.8","v3.7.8-rc.1","v3.7.8-rc.2","v3.7.8-rc.3","v3.7.8-rc.4","v3.7.9","v3.7.9-rc.1","v3.7.9-rc.2","v3.7.9-rc.3","v3.8.0","v3.8.1-beta.1","v3.8.1-beta.2","v3.8.1-rc.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11287.json","unresolved_ranges":[{"events":[{"introduced":"1.16.0"},{"fixed":"1.16.7"}]},{"events":[{"introduced":"1.17.0"},{"fixed":"1.17.4"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"15"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}