Missing Authorization in RocketMQ - CVE-2023-37582
Published: July 15, 2023
Vulnerability identifier: #VU78267
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2023-37582
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Apache Foundation
Affected software:
RocketMQ
RocketMQ
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization in the RocketMQ NameServer component. A remote non-authenticated attacker can use the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.Note, the vulnerability exists due to incomplete fix for #VU76462 (CVE-2023-33246).
How to mitigate CVE-2023-37582
Install updates from vendor's website.