GHSA-x3cq-8f32-5f63

Source

https://github.com/advisories/GHSA-x3cq-8f32-5f63

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-x3cq-8f32-5f63/GHSA-x3cq-8f32-5f63.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x3cq-8f32-5f63

Aliases

CVE-2023-33246

Published

2023-07-06T21:15:04Z

Modified

2024-02-16T08:10:39.825694Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache RocketMQ may have remote code execution vulnerability when using update configuration function

Details

For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.

Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .

Database specific

{
    "nvd_published_at": "2023-05-24T15:15:09Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T23:48:22Z"
}

References

Affected packages

Maven / org.apache.rocketmq:rocketmq-broker

Package

Name: org.apache.rocketmq:rocketmq-broker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.rocketmq/rocketmq-broker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.1.1

Affected versions

5.*

5.0.0

5.0.0-PREVIEW

5.1.0

Maven / org.apache.rocketmq:rocketmq-namesrv

Package

Name: org.apache.rocketmq:rocketmq-namesrv; View open source insights on deps.dev
Purl: pkg:maven/org.apache.rocketmq/rocketmq-namesrv

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.9.6

Affected versions

4.*

4.0.0-incubating

4.1.0-incubating

4.2.0

4.3.0

4.3.1

4.3.2

4.4.0

4.5.0

4.5.1

4.5.2

4.6.0

4.6.1

4.7.0

4.7.1

4.8.0

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

Maven / org.apache.rocketmq:rocketmq-controller

Package

Name: org.apache.rocketmq:rocketmq-controller; View open source insights on deps.dev
Purl: pkg:maven/org.apache.rocketmq/rocketmq-controller

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.1.1

Affected versions

5.*

5.0.0

5.1.0

Maven / org.apache.rocketmq:rocketmq-namesrv

Package

Name: org.apache.rocketmq:rocketmq-namesrv; View open source insights on deps.dev
Purl: pkg:maven/org.apache.rocketmq/rocketmq-namesrv

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.1.1

Affected versions

5.*

5.0.0

5.0.0-PREVIEW

5.1.0