RabbitMQ Password in URL
ID |
amqp_url |
Severity |
high |
Vendor |
RabbitMQ |
Family |
Data Storage Secret |
Description
The Advanced Message Queuing Protocol (AMQP) is an open standard application layer protocol for message-oriented middleware. The defining features of AMQP are message orientation, queuing, routing, reliability and security.
This protocol is used in RabbitMQ, one of the most widely deployed open source message broker.
Security
Any hardcoded password in AMQP Connection URL is a potential secret reported by this detector.
Accidentally checking-in the URL with such hardcoded password to source control repositories could compromise your AMQP service.
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require changing the password in the target system(s). In this case, you may use the rabbitmqctl change_password command:
rabbitmqctl change_password <USERNAME> <NEWPASSWORD>An alternative is to revoke access for the affected user.
-
Remove the hard-coded password from the RabbitMQ URL in source, and pass the password, or alternative credentials for stronger authentication, as a separate configuration setting, but not hard-coded somewhere under version control.
You should consider any sensitive data in commits with secrets as compromised.
Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.