ID:9186 - Exploit for Missing Authorization in RocketMQ - CVE-2023-37582

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Exploits ID:9186 - Exploit for Missing Authorization in RocketMQ - CVE-2023-37582

ID:9186 - Exploit for Missing Authorization in RocketMQ - CVE-2023-37582

Published: July 15, 2023


Vulnerability identifier: #VU78267
Vulnerability risk: High
CVE-ID: CVE-2023-37582
CWE-ID: CWE-862
Exploitation vector: Remote access
Vulnerable software:
RocketMQ

Link to public exploit:


Vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization in the RocketMQ NameServer component. A remote non-authenticated attacker can use the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.

Note, the vulnerability exists due to incomplete fix for #VU76462 (CVE-2023-33246).


Remediation

Install updates from vendor's website.