Home > Vulnerability Database > CVE-2024-23321

Mend.io Vulnerability Database

CVE-2024-23321

Good to know:

Date: July 22, 2024

For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even if RocketMQ is enabled with authentication and authorization functions. An attacker, possessing regular user privileges or listed in the IP whitelist, could potentially acquire the administrator's account and password through specific interfaces. Such an action would grant them full control over RocketMQ, provided they have access to the broker IP address list. To mitigate these security threats, it is strongly advised that users upgrade to version 5.3.0 or newer. Additionally, we recommend users to use RocketMQ ACL 2.0 instead of the original RocketMQ ACL when upgrading to version Apache RocketMQ 5.3.0.

Language: Java

Severity Score

8.8

Related Resources (6)

Url: http://www.openwall.com/lists/oss-security/2024/07/22/1

Url: https://github.com/apache/rocketmq/releases/tag/rocketmq-all-5.3.0

Url: https://github.com/apache/rocketmq

Url: https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-23321

Url: https://www.mend.io/vulnerability-database/CVE-2024-23321

Severity Score

8.8

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Top Fix

Upgrade Version

Upgrade to version org.apache.rocketmq:rocketmq-broker:5.3.0

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-23321

Good to know:

Date: July 22, 2024

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?