Directory Traversal Vulnerability in Apache RocketMQ by Apache
CVE-2019-17572

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache RocketMQ
Vendor: CVE Published:; 14 May 2020

Summary

In Apache RocketMQ versions 4.2.0 through 4.6.0, a configuration issue with automatic topic creation can allow an attacker to send malicious topic names. This could lead to a directory traversal vulnerability, permitting the creation of folders outside the intended directory structure. Specifically, if the topic name is crafted to include relative path elements, it may allow for unauthorized directory access. Users are advised to upgrade to Apache RocketMQ 4.6.1 or later to secure their installations.

Affected Version(s)

Apache RocketMQ Apache RocketMQ 4.2.0 to 4.6.0

References

https://lists.apache.org/thread.html/fdea1c5407da47a17d55...

x_refsource_MISC

https://seclists.org/oss-sec/2020/q2/112

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2020
Vulnerability Reserved
Oct 14, 2019