CVE-2024-23321

For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even if RocketMQ is enabled with authentication and authorization functions. An attacker, possessing regular user privileges or listed in the IP whitelist, could potentially acquire the administrator's account and password through specific interfaces. Such an action would grant them full control over RocketMQ, provided they have access to the broker IP address list. To mitigate these security threats, it is strongly advised that users upgrade to version 5.3.0 or newer. Additionally, we recommend users to use RocketMQ ACL 2.0 instead of the original RocketMQ ACL when upgrading to version Apache RocketMQ 5.3.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:57

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/07/22/1 - Mailing List () http://www.openwall.com/lists/oss-security/2024/07/22/1 - Mailing List
References () https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 - Mailing List, Vendor Advisory () https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 - Mailing List, Vendor Advisory

10 Sep 2024, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 8.8
References () http://www.openwall.com/lists/oss-security/2024/07/22/1 - () http://www.openwall.com/lists/oss-security/2024/07/22/1 - Mailing List
References () https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 - () https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 - Mailing List, Vendor Advisory
CPE cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*
First Time Apache rocketmq
Apache
CWE NVD-CWE-noinfo

01 Aug 2024, 13:47

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5

22 Jul 2024, 14:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/07/22/1 -

22 Jul 2024, 13:00

Type Values Removed Values Added
Summary
  • (es) Para las versiones 5.2.0 y anteriores de RocketMQ, bajo ciertas condiciones, existe el riesgo de exposición de información confidencial a un actor no autorizado incluso si RocketMQ está habilitado con funciones de autenticación y autorización. Un atacante que posea privilegios de usuario habituales o que esté incluido en la lista blanca de IP podría adquirir la cuenta y la contraseña del administrador a través de interfaces específicas. Tal acción les otorgaría control total sobre RocketMQ, siempre que tengan acceso a la lista de direcciones IP del corredor. Para mitigar estas amenazas a la seguridad, se recomienda encarecidamente que los usuarios actualicen a la versión 5.3.0 o posterior. Además, recomendamos a los usuarios que utilicen RocketMQ ACL 2.0 en lugar de la RocketMQ ACL original al actualizar a la versión Apache RocketMQ 5.3.0.

22 Jul 2024, 10:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-22 10:15

Updated : 2024-11-21 08:57


NVD link : CVE-2024-23321

Mitre link : CVE-2024-23321

CVE.ORG link : CVE-2024-23321


JSON object : View

Products Affected

apache

  • rocketmq
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo