CVE-2024-23321

Name of the Vulnerable Software and Affected Versions RocketMQ versions 5.2.0 and below

Description The issue is related to insufficient protection of service data in the RocketMQ messaging platform. This could allow a remote attacker to gain unauthorized access to protected information. Under certain conditions, even with authentication and authorization functions enabled, there is a risk of exposing sensitive information to an unauthorized actor. An attacker with regular user privileges or listed in the IP whitelist could potentially acquire the administrator's account and password through specific interfaces, granting them full control over RocketMQ if they have access to the broker IP address list.

Recommendations For RocketMQ versions 5.2.0 and below, upgrade to version 5.3.0 or newer to mitigate the security threats. When upgrading to version Apache RocketMQ 5.3.0, use RocketMQ ACL 2.0 instead of the original RocketMQ ACL.