PT-2020-9920 · Apache · Apache Rocketmq

Shannonding

Published

2020-05-14

Updated

2020-07-01

CVE-2019-17572

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache RocketMQ versions 4.2.0 through 4.6.0

Description The issue arises when automatic topic creation is enabled in the broker by default, allowing an attacker to send a malicious topic name, such as "../../../../topic2020", from the rocketmq-client to the broker. This results in the creation of a topic folder in the parent directory of the broker, leading to a directory traversal issue.

Recommendations For Apache RocketMQ versions 4.2.0 through 4.6.0, upgrade to Apache RocketMQ 4.6.1 or later.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2019-17572

GHSA-5X3V-2GXR-59M2

Affected Products

Apache Rocketmq

PT-2020-9920 · Apache · Apache Rocketmq

CVE-2019-17572

Weakness Enumeration

Related Identifiers

Affected Products

References · 9