apache/rocketmq Vulnerability Summary
- Vendor name: apache
- Product name: rocketmq
- Total vulnerabilities: 1 (as 2023-05-04)
apache/rocketmq Vulnerability List
CVE-2019-17572: In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on…
Published: 2020-05-14T17:15:00 Last Modified: 2020-05-15T18:17:00
In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability. Users of the affected versions should apply one of the following: Upgrade to Apache RocketMQ 4.6.1 or later.
Common Weakness Enumeration (CWE): CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE Description: The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- Impact Score: 2.9
- Exploitability Score: 10.0
- CVSS: 5.0
- CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
- Availability: NONE
- Confidentiality: PARTIAL
- Integrity: NONE
- Authentication: NONE
- Complexity: LOW
- Vector: NETWORK
Currently, there is no code for exploiting the CVE-2019-17572 vulnerability.