CVE-2023-33246

CVE-2023-33246 affects Apache RocketMQ 5.1.0 and earlier. The vulnerability arises from leakage of NameServer, Broker, and Controller on the extranet with insufficient permission verification, allowing an attacker to trigger remote code execution by using the update configuration function or by f...

CVE-2023-37582

The CVE-2023-37582 entry concerns Apache RocketMQ’s NameServer remote code execution when addresses are exposed on the extranet and permission checks are missing. The vulnerability stems from insufficient access control in the update configuration path, enabling commands to execute as the RocketM...

CVE-2024-23321

CVE-2024-23321 affects RocketMQ 5.2.0 and earlier, where under certain conditions an attacker with regular user privileges (or IP whitelist-listed) can disclose administrator credentials via specific interfaces, gaining full control if they can access the broker IP address list. The risk arises d...

CVE-2019-17572

CVE-2019-17572 affects Apache RocketMQ from versions 4.2.0 through 4.6.0. When broker automatic topic creation is enabled by default, an attacker-provided topic such as “../../../../topic2020” can cause a directory to be created in the broker’s parent directory, resulting in a directory traversal...