Home > Vulnerability Database > CVE-2022-31008

Mend.io Vulnerability Database

CVE-2022-31008

Good to know:

Date: October 6, 2022

RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.

Language: ERLANG

Severity Score

7.5

Related Resources (6)

Url: https://www.cve.org/CVERecord?id=CVE-2022-31008

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-31008

Url: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8

Url: https://security-tracker.debian.org/tracker/CVE-2022-31008

Url: https://github.com/rabbitmq/rabbitmq-server/pull/4841

Url: https://www.mend.io/vulnerability-database/CVE-2022-31008

Severity Score

7.5

Weakness Type (CWE)

Use of Insufficiently Random Values

CWE-330

Insufficient Information

NVD-CWE-noinfo

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

CWE-335

Top Fix

Upgrade Version

Upgrade to version v3.8.32,v3.9.18,v3.10.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-31008

Good to know:

Date: October 6, 2022

Language: ERLANG

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?