Main Vulnerability Database Vulnerabilities #VU78267

#VU78267 Missing Authorization in RocketMQ - CVE-2023-37582

Published: July 15, 2023

Vulnerability identifier: #VU78267

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2023-37582

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
RocketMQ

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization in the RocketMQ NameServer component. A remote non-authenticated attacker can use the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.

Note, the vulnerability exists due to incomplete fix for #VU76462 (CVE-2023-33246).

Remediation

Install updates from vendor's website.

External links

https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
http://www.openwall.com/lists/oss-security/2023/07/12/1

#VU78267 Missing Authorization in RocketMQ - CVE-2023-37582

Description

Remediation

External links

Please verify you're human