CVE-2019-17572

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-17572
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17572.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-17572
Aliases
Published
2020-05-14T17:15:11Z
Modified
2025-01-14T07:51:44.026116Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability. Users of the affected versions should apply one of the following: Upgrade to Apache RocketMQ 4.6.1 or later.

References

Affected packages

Git / github.com/apache/rocketmq

Affected ranges

Type
GIT
Repo
https://github.com/apache/rocketmq
Events
Introduced
d9fc71b99152277fd991313d5e3161d812da8454
Last affected
d1b4e47c26576cf4fa543bbdd8c6f09643220bed

Affected versions

rocketmq-all-4.*

rocketmq-all-4.2.0
rocketmq-all-4.3.0
rocketmq-all-4.4.0
rocketmq-all-4.5.1
rocketmq-all-4.5.2
rocketmq-all-4.6.0