9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.973 High
EPSS
Percentile
99.9%
org.apache.rocketmq, rocketmq-namesrv is vulnerable to Remote Code Execution (RCE). The vulnerability exists because the library allows updating the config path at runtime, allowing an attacker to inject and execute malicious code through the update configuration function by forging the RocketMQ protocol content, which also leads to information leakage in the extranet. This issue was not completely fixed in CVE-2023-33246, thus a new CVE was issued.
CPE | Name | Operator | Version |
---|---|---|---|
rocketmq-namesrv | le | 4.9.6 | |
rocketmq-namesrv | le | 5.1.1 | |
rocketmq-namesrv | le | 4.9.6 | |
rocketmq-namesrv | le | 5.1.1 |