Critical severityNVD Advisory· Published Jul 12, 2023· Updated Apr 23, 2025
Apache RocketMQ: Possible remote code execution when using the update configuration function
CVE-2023-37582
Description
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1.
When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.
It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.rocketmq:rocketmq-namesrvMaven | < 4.9.7 | 4.9.7 |
org.apache.rocketmq:rocketmq-namesrvMaven | >= 5.0.0, < 5.1.2 | 5.1.2 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-gpq8-963w-8qc9ghsaADVISORY
- lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbncghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-37582ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/07/12/1ghsaWEB
News mentions
0No linked articles in our index yet.