CVE-2023-35789

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions C AMQP client library (aka rabbitmq-c) versions 0.13.0 and earlier

Description An issue was discovered in the C AMQP client library for RabbitMQ, where credentials can only be entered on the command line and are thus visible to local attackers by listing a process and its arguments. This is related to insufficient protection of registration data, which can allow an attacker to gain access to confidential data.

Recommendations For versions 0.13.0 and earlier, consider restricting access to command line arguments to minimize the risk of exploitation. As a temporary workaround, avoid using command line tools like amqp-publish or amqp-consume that require entering credentials directly on the command line until a patch is available.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

ALSA-2023:6482

ALSA-2023:7150

ALT-PU-2023-7512

ALT-PU-2023-7516

ALT-PU-2024-2600

AZL-43804

AZL-45114

BDU:2024-06934

BIT-RABBITMQ-C-2023-35789

CESA-2023_7150

CVE-2023-35789

DLA-4096-1

INFSA-2023_6482

OESA-2023-1399

OPENSUSE-SU-2024:13028-1

RHSA-2023:6482

RHSA-2023:7150

RHSA-2023_6482

RHSA-2023_7150

SUSE-SU-2023:2823-1

SUSE-SU-2023_2823-1

Affected Products

Alt Linux

Almalinux

Astra Linux

C Amqp Client Library

Centos

Debian

Red Hat

Suse

CVE-2023-35789

Weakness Enumeration

Related Identifiers

Affected Products

References · 45