Path traversal in RocketMQ - CVE-2019-17572

 

Path traversal in RocketMQ - CVE-2019-17572

Published: May 24, 2023


Vulnerability identifier: #VU76461
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-17572
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
RocketMQ

Detailed vulnerability description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences when the automatic topic creation in the broker is turned on. A remote user can force the application to create folders in the parent directory in brokers using a specially crafted topic name.


How to mitigate CVE-2019-17572

Install update from vendor's website.

Sources