For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even if RocketMQ is enabled with authentication and authorization functions.
An attacker, possessing regular user privileges or listed in the IP whitelist, could potentially acquire the administrator's account and password through specific interfaces. Such an action would grant them full control over RocketMQ, provided they have access to the broker IP address list.
To mitigate these security threats, it is strongly advised that users upgrade to version 5.3.0 or newer. Additionally, we recommend users to use RocketMQ ACL 2.0 instead of the original RocketMQ ACL when upgrading to version Apache RocketMQ 5.3.0.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2024/07/22/1 | Mailing List |
https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 | Mailing List Vendor Advisory |
http://www.openwall.com/lists/oss-security/2024/07/22/1 | Mailing List |
https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 | Mailing List Vendor Advisory |
Configurations
History
21 Nov 2024, 08:57
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2024/07/22/1 - Mailing List | |
References | () https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 - Mailing List, Vendor Advisory |
10 Sep 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2024/07/22/1 - Mailing List | |
References | () https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 - Mailing List, Vendor Advisory | |
First Time |
Apache rocketmq
Apache |
|
CPE | cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:* | |
CWE | NVD-CWE-noinfo | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
01 Aug 2024, 13:47
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
22 Jul 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Jul 2024, 13:00
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
22 Jul 2024, 10:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-22 10:15
Updated : 2024-11-21 08:57
NVD link : CVE-2024-23321
Mitre link : CVE-2024-23321
CVE.ORG link : CVE-2024-23321
JSON object : View
Products Affected
apache
- rocketmq
CWE