CVE-2023-37582

nvd nist nuclei

Published: Jul 12, 2023Modified: Apr 23, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.

Affected (2)

Products: Apache: Rocketmq

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Rocketmq	Up to 4.9.6
Apache Rocketmq	From 5.0.0 to 5.1.1

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

http://www.openwall.com/lists/oss-security/2023/07/12/1

Source: security@apache.org

Mailing ListPatchThird Party Advisory

https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc

Source: security@apache.org

Mailing ListPatchVendor Advisory

http://www.openwall.com/lists/oss-security/2023/07/12/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchThird Party Advisory

https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchVendor Advisory

Timeline

No history available yet.