cve-2022-31008
Vulnerability from cvelistv5
Published
2022-10-06 00:00
Modified
2024-08-03 07:03
Summary
Predictable credential obfuscation seed value used in rabbitmq-server
Impacted products
rabbitmqrabbitmq-server
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:03:40.269Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rabbitmq-server",
          "vendor": "rabbitmq",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.8.32"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.9.0, \u003c 3.9.18"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.10.0, \u003c 3.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330: Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-11T00:00:00",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"
        },
        {
          "url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"
        }
      ],
      "source": {
        "advisory": "GHSA-v9gv-xp36-jgj8",
        "discovery": "UNKNOWN"
      },
      "title": "Predictable credential obfuscation seed value used in rabbitmq-server"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31008",
    "datePublished": "2022-10-06T00:00:00",
    "dateReserved": "2022-05-18T00:00:00",
    "dateUpdated": "2024-08-03T07:03:40.269Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31008\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-10-06T18:16:00.783\",\"lastModified\":\"2023-07-21T17:09:18.657\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.\"},{\"lang\":\"es\",\"value\":\"RabbitMQ es un broker de mensajer\u00eda y streaming multiprotocolo. En versiones afectadas los plugins shovel y federation llevan a cabo una ofuscaci\u00f3n de URI en su estado de trabajador (enlace). La clave de cifrado usada para cifrar el URI fue sembrada con un secreto predecible. Esto significa que en caso de determinadas excepciones relacionadas con los plugins Shovel y Federation, podr\u00edan aparecer datos razonablemente f\u00e1ciles de des ofuscar en el registro del nodo. Las versiones parcheadas usan correctamente un secreto para todo el cl\u00faster a tal efecto. Este problema se ha solucionado y las versiones parcheadas: \\\"3.10.2\\\", \\\"3.9.18\\\", \\\"3.8.32\\\" est\u00e1n disponibles. Los usuarios que no puedan actualizar deber\u00e1n deshabilitar los plugins Shovel y Federation\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-335\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-330\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.8.32\",\"matchCriteriaId\":\"F7ACC5FD-236D-4454-B306-C5C8F70FB5B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.9.0\",\"versionEndExcluding\":\"3.9.18\",\"matchCriteriaId\":\"E6E32B0B-C0C0-4D8F-9EA0-A611F9542942\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:rabbitmq:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.10.0\",\"versionEndExcluding\":\"3.10.2\",\"matchCriteriaId\":\"99B5A575-A35B-4844-A3A6-647A0DAFC7AF\"}]}]}],\"references\":[{\"url\":\"https://github.com/rabbitmq/rabbitmq-server/pull/4841\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.