CVE-2019-17572

CWE-22 — Path Traversal4 documents4 sources

Severity

5.3MEDIUM

EPSS

1.5%

top 18.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Rocketmq

Timeline

PublishedMay 14

Latest updateJul 1

Description

In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability. Users of the affected versions should apply one of the following: Upgrade to Apache RocketMQ 4.6.1 or later.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.apache.rocketmq:rocketmq-broker4.2.0 — 4.6.1

▶NVDapache/rocketmq4.2.0 — 4.6.0

▶CVEListV5apache_rocketmqApache RocketMQ 4.2.0 to 4.6.0

🔴Vulnerability Details

GHSA

Directory traversal in Apache RocketMQ↗2020-07-01

▶

OSV

Directory traversal in Apache RocketMQ↗2020-07-01

▶

CVEList

CVE-2019-17572: In Apache RocketMQ 4↗2020-05-14

▶