CVE-2024-23321

CWE-200 — Information Exposure5 documents5 sources

Severity

8.8HIGH

EPSS

0.2%

top 64.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Rocketmq Apache Software Foundation Apache Rocketmq

Timeline

PublishedJul 22

Description

For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even if RocketMQ is enabled with authentication and authorization functions. An attacker, possessing regular user privileges or listed in the IP whitelist, could potentially acquire the administrator's account and password through specific interfaces. Such an action would grant them full control over RocketMQ, provided they have access to the broker IP a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/rocketmq4.5.2 — 5.3.0

▶Mavenorg.apache.rocketmq:rocketmq-all4.5.2 — 5.3.0

▶CVEListV5apache_software_foundation/apache_rocketmq4.5.2 — 5.2.0

🔴Vulnerability Details

GHSA

Apache RocketMQ Vulnerable to Unauthorized Exposure of Sensitive Data↗2024-07-22

▶

CVEList

Apache RocketMQ: Unauthorized Exposure of Sensitive Data↗2024-07-22

▶

OSV

Apache RocketMQ Vulnerable to Unauthorized Exposure of Sensitive Data↗2024-07-22

▶

📋Vendor Advisories

Red Hat

apache: RocketMQ: org.apache.rocketmq:rocketmq-all: Unauthorized Exposure of Sensitive Data↗2022-07-22

▶