CVE-2023-37582

EPSS 88.54%
Published 12.07.2023 10:15:11
Last modified 23.04.2025 17:16:33
Source security@apache.org
Teams watchlist Login
Open Login

The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. 

When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. 

It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Rocketmq Version <= 4.9.6

Apache ≫ Rocketmq Version >= 5.0.0 <= 5.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	88.54%	0.995

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://www.openwall.com/lists/oss-security/2023/07/12/1

Patch

Third Party Advisory

Mailing List

https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc

Patch

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-37582

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37582

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37582

EUVD