GHSA-hrfh-7j5f-8ccr · Severity: high · Ecosystem: erlang — Pivotal RabbitMQ is vulnerable to a denial of service attack
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Conclusion & alert: CVE-2019-11287 is rated High Exploit Risk (77.5/100): CVSS High severity, with medium exploitation likelihood (EPSS 4.60%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.22% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-20 | 3.39% | 4.60% | +1.22% |
| 2 | 2026-04-19 | 3.05% | 3.39% | +0.34% |
| 3 | 2026-01-24 | — | 3.05% | — |
Full EPSS history (25 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 4.5 | 3.0 | MEDIUM |
|
0.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-hrfh-7j5f-8ccr · Severity: high · Ecosystem: erlang — Pivotal RabbitMQ is vulnerable to a denial of service attack
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2019-11287 not yet assigned priority: Debian including 1 source packages (rabbitmq-server), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2019-11287 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2019-11287 |
suse
|
high | CVE-2019-11287 severity important: SUSE including 49 source package names (ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-ansible-9.0+git.1660748476.c118d23-3.32.1, …), 118 product×package rows across 18 product lines (HPE Helion OpenStack 8, SUSE CaaS Platform 4.5, … (18 product lines)): Fixed 91, Known Not Affected 27. | https://www.suse.com/security/cve/CVE-2019-11287/ |
ubuntu
|
low | CVE-2019-11287 low priority: Ubuntu including 1 source packages (rabbitmq-server), 11 status rows across 11 suites (bionic, disco, eoan, focal, groovy, hirsute, impish, jammy, trusty, upstream, xenial): not-affected 5, ignored 2, released 2, DNE 1, needs-triage 1. | https://ubuntu.com/security/CVE-2019-11287 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| broadcom | rabbitmq_server | >= 3.8.0, < 3.8.1 | cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:* |
| pivotal_software | rabbitmq | >= 1.16.0, < 1.16.7 | cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:* |
| pivotal_software | rabbitmq | >= 1.17.0, < 1.17.4 | cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:* |
| pivotal_software | rabbitmq | >= 3.7.0, < 3.7.21 | cpe:2.3:a:pivotal_software:rabbitmq:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 30 | cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:* |
| fedoraproject | fedora | 31 | cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* |
| redhat | openstack | 15 | cpe:2.3:a:redhat:openstack:15:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |