VYPR
Critical severityNVD Advisory· Published Jul 12, 2023· Updated Apr 23, 2025

Apache RocketMQ: Possible remote code execution when using the update configuration function

CVE-2023-37582

Description

The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1.

When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.

It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.rocketmq:rocketmq-namesrvMaven
< 4.9.74.9.7
org.apache.rocketmq:rocketmq-namesrvMaven
>= 5.0.0, < 5.1.25.1.2

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.