CVE-2023-33246
Apache RocketMQ Command Execution Vulnerability
CVSS
—
No CVSS
EPSS
96.6%
p100
KEV
YES
Sep 6, 2023
Exploit Today
80
0-100
Published: — · Last modified: —
Product
Apache / RocketMQ
Vulnerability
Apache RocketMQ Command Execution Vulnerability
Added to KEV
Sep 6, 2023
Remediate by
Sep 27, 2023
Known ransomware use
No
Summary description
Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as or achieve the same effect by forging the RocketMQ protocol content.
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes
https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp; https://nvd.nist.gov/vuln/detail/CVE-2023-33246
No related CVEs by CWE or product.