Missing Authorization in RocketMQ - CVE-2023-33246
Published: May 24, 2023 / Updated: August 31, 2023
Vulnerability identifier: #VU76462
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2023-33246
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Apache Foundation
Affected software:
RocketMQ
RocketMQ
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization in several components of RocketMQ, including NameServer, Broker, and Controller. A remote non-authenticated attacker can use the update configuration function to execute arbitrary commands on the system. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.
How to mitigate CVE-2023-33246
Install updates from vendor's website.