<p>Upgrade <code>org.apache.rocketmq:rocketmq-broker</code> to version 4.9.6, 5.1.1 or higher.</p>

Arbitrary Code Injection Affecting org.apache.rocketmq:rocketmq-broker package, versions [,4.9.6) [5.0.0,5.1.1)

Threat Intelligence

Trending on 𝕏

Mature

97.23% (100^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHEROCKETMQ-5602338
published 25 May 2023
disclosed 25 May 2023
credit lvyyevd@gmail.com

Report a new vulnerability Found a mistake?

Introduced: 25 May 2023

CVE-2023-33246 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

Upgrade org.apache.rocketmq:rocketmq-broker to version 4.9.6, 5.1.1 or higher.

Overview

org.apache.rocketmq:rocketmq-broker is a distributed messaging and streaming platform.

Affected versions of this package are vulnerable to Arbitrary Code Injection. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

Low
Availability (A)

Low