CVE-2019-17572
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability. Users of the affected versions should apply one of the following: Upgrade to Apache RocketMQ 4.6.1 or later.
En Apache RocketMQ versiones 4.2.0 hasta 4.6.0, cuando la creación automática de temas en el agente está activada por defecto, un tema maligno como "../../../../topic2020" es enviado desde rocketmq-client para el agente, una carpeta de temas será creada en el directorio principal en los agentes, lo que conduce a una vulnerabilidad de salto del directorio. Los usuarios de las versiones afectadas deben aplicar lo siguiente: Actualización a Apache RocketMQ versión 4.6.1 o posterior.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-10-14 CVE Reserved
- 2020-05-14 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (2)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Rocketmq Search vendor "Apache" for product "Rocketmq" | >= 4.2.0 <= 4.6.0 Search vendor "Apache" for product "Rocketmq" and version " >= 4.2.0 <= 4.6.0" | - |
Affected
| ||||||