vulnerability

Apache RocketMQ: CVE-2023-33246: Remote Command Execution.

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Sep 6, 2023	Oct 23, 2023	Oct 24, 2023

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Sep 6, 2023

Added

Oct 23, 2023

Modified

Oct 24, 2023

Description

For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

Solution

apache-rocketmq-cve-2023-33246

References

CVE-2023-33246
https://attackerkb.com/topics/CVE-2023-33246
URL-https://nvd.nist.gov/vuln/detail/CVE-2023-33246
URL-https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today