Main Vulnerability Database Vulnerabilities #VU76461

Path traversal in RocketMQ - CVE-2019-17572

Published: May 24, 2023

Vulnerability identifier: #VU76461

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-17572

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
RocketMQ

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences when the automatic topic creation in the broker is turned on. A remote user can force the application to create folders in the parent directory in brokers using a specially crafted topic name.

Remediation

Install update from vendor's website.

External links

https://lists.apache.org/thread.html/fdea1c5407da47a17d5522fa149a097cacded1916c1c1534d46edc6d%40%3Cprivate.rocketmq.apache.org%3E
https://seclists.org/oss-sec/2020/q2/112

Path traversal in RocketMQ - CVE-2019-17572

Description

Remediation

External links

Please verify you're human