CVE-2023-46120: 
Java vulnerability analysis and mitigation

CVE-2023-46120 affects the RabbitMQ Java client library, which allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. The vulnerability was discovered when it was found that the 'maxBodyLength' parameter was not being used when receiving Message objects, allowing attackers to send very large messages that could cause memory overflow and trigger Out of Memory (OOM) errors. This vulnerability affects versions prior to 5.18.0 and was patched in June 2023 (RabbitMQ Release, GitHub Advisory).

The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) and has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. The issue stems from the lack of message size validation when receiving Message objects, which allows attackers to send messages of arbitrary size. The vulnerability can be exploited remotely, requires low attack complexity, but needs high privileges to execute (GitHub Advisory).

The primary impact of this vulnerability is the potential for Denial of Service (DoS) attacks against RabbitMQ consumer applications. When exploited, attackers can cause memory exhaustion in consumer applications by sending extremely large messages, ultimately leading to application crashes through Out of Memory errors. The vulnerability affects availability but does not impact confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been fixed in RabbitMQ Java client version 5.18.0. The fix implements a default maximum message body size limit of 64 MiB. Users are strongly encouraged to upgrade to version 5.18.0 or later to receive the security fix. The patch allows for configuration of the maximum message size through the ConnectionFactory (RabbitMQ Release).