SB2023071508 - Missing authorization in Apache RocketMQ
Published: July 15, 2023
Security Bulletin ID
SB2023071508
CSH Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Missing Authorization (CVE-ID: CVE-2023-37582)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization in the RocketMQ NameServer component. A remote non-authenticated attacker can use the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.Note, the vulnerability exists due to incomplete fix for #VU76462 (CVE-2023-33246).
Remediation
Install update from vendor's website.