RabbitMQ Authorization Header Logging Vulnerability in Versions Through 3.13.7

A vulnerability exists in RabbitMQ versions through 3.13.7, where the server logs authorization headers in plaintext, encoded in base64. This occurs when the RabbitMQ API is accessed over HTTP or HTTPS using basic authentication. The logs include all request headers, revealing base64-encoded usernames and passwords, which can be easily decoded. Exploiting this vulnerability could lead to unauthorized access to the system, depending on the credentials involved.

Impact

This vulnerability allows for the unauthorized disclosure of basic authentication credentials, which could be used to gain control over the RabbitMQ server, particularly if the credentials belong to an administrative user.

Reproduction

To reproduce this vulnerability, create a new admin user in the RabbitMQ management console. Then, send a POST request to the RabbitMQ API's queue management endpoint for a non-existent queue, using basic authentication with the newly created admin user's credentials. The authorization header will be logged in plaintext, base64-encoded, including the username and password. This can be verified by checking the RabbitMQ error logs, which will display the authorization header in the logged error details.

Remediation

Users can upgrade to RabbitMQ versions 4.0.8, 4.1.0, or 3.13.8 to address this vulnerability.