Summary
Responsibly disclosed by @NSEcho.
HTTP API did not enforce an HTTP request body limit, making it vulnerable for DoS attacks with very large messages.
Details
An authenticated user with sufficient credentials can publish a very large messages over the HTTP API
and cause target node to be terminated by an "out-of-memory killer"-like mechanism.
A PoC was provided to Team RabbitMQ privately.
Impact
Denial of Service
Summary
Responsibly disclosed by @NSEcho.
HTTP API did not enforce an HTTP request body limit, making it vulnerable for DoS attacks with very large messages.
Details
An authenticated user with sufficient credentials can publish a very large messages over the HTTP API
and cause target node to be terminated by an "out-of-memory killer"-like mechanism.
A PoC was provided to Team RabbitMQ privately.
Impact
Denial of Service