RabbitMQ flaws could leak OAuth secrets and expose cross-tenant queue metadata

Two RabbitMQ access control flaws could leak OAuth secrets and expose cross-tenant queue metadata

CSBadmin
1 Min Read

Two access control vulnerabilities in the RabbitMQ message broker could allow attackers to leak OAuth client secrets and read cross-tenant queue metadata, exposing enterprise messaging infrastructure to takeover risks, security researchers at Miggo have disclosed.

The first and most critical flaw allows an unauthenticated attacker to retrieve the brokers OAuth client secret in a single request, providing a direct path to full broker takeover in configurations that use that secret for authentication. The second vulnerability permits any authenticated user to silently read queue metadata belonging to other tenants, bypassing tenant isolation boundaries.

Both shortcomings have been present in the codebase since early 2024, affecting RabbitMQ release lines from 3.13.0 onward. The maintainers have addressed the issues in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. No evidence of active exploitation has been observed prior to the public disclosure. Organizations running RabbitMQ should update to patched versions immediately and rotate any OAuth secrets that may have been exposed.

HTMLEOF

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.