com.webank.defibus:defibus-broker (>=1.0.0 <=1.0.1), com.webank.defibus:defibus-namesrv (>=1.0.0 <=1.0.1) +1 more potentially affected by CVE-2019-17572 via org.apache.rocketmq:rocketmq-broker (>=4.2.0 <=4.6.0)

org.apache.rocketmq:rocketmq-broker MAVEN version =4.2.0, =1.0.0, =1.0.0, =4.2.0, =4.6.0 Source cves: CVE-2019-17572 Source advisory: OSV:GHSA-5X3V-2GXR-59M2...

Directory Traversal

rocketmq-broker is vulnerable to directory traversal. The automatic topic creation which is enabled by default, allows a folder name containing ../ characters to be created. This results in the writing of arbitrary directory in the parent directories, potentially overwriting existing folders...