CVE-2023-37582

CVE-2023-37582: Apache RocketMQ: Possible remote code execution when using the update configuration function

Vendor Apache Software Foundation

Product Apache RocketMQ

Weakness CWE-94 · Code injection

Published July 12, 2023

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.

Key dates

Disclosure timeline

July 12, 2023 CVE published

April 23, 2025 Record updated

Identifiers

CVE CVE-2023-37582

CWE CWE-94

Affected versions

Vendor Apache Software Foundation

Product Apache RocketMQ

Affected ≥ 5.0.0 and ≤ 5.1.1

Vendor Apache Software Foundation

Product Apache RocketMQ

Affected ≤ 4.9.6