Main Vulnerability Database Exploits ID:9176 - Exploit for Missing Authorization in RocketMQ - CVE-2023-33246

ID:9176 - Exploit for Missing Authorization in RocketMQ - CVE-2023-33246

Published: July 6, 2023

Vulnerability identifier: #VU76462

Vulnerability risk: Critical

CVE-ID: CVE-2023-33246

CWE-ID: CWE-862

Exploitation vector: Remote access

Vulnerable software:
RocketMQ

Link to public exploit:

https://www.rapid7.com/db/modules/exploit/multi/http/apache_rocketmq_update_config

Vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization in several components of RocketMQ, including NameServer, Broker, and Controller. A remote non-authenticated attacker can use the update configuration function to execute arbitrary commands on the system. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

Remediation

Install updates from vendor's website.

ID:9176 - Exploit for Missing Authorization in RocketMQ - CVE-2023-33246

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human