Skip to content

Directory traversal in Apache RocketMQ

Moderate severity GitHub Reviewed Published Jul 1, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

maven org.apache.rocketmq:rocketmq-broker (Maven)

Affected versions

>= 4.2.0, < 4.6.1

Patched versions

4.6.1

Description

In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability. Users of the affected versions should apply one of the following: Upgrade to Apache RocketMQ 4.6.1 or later.

References

Reviewed Jul 1, 2020
Published to the GitHub Advisory Database Jul 1, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

0.048%
(20th percentile)

Weaknesses

CVE ID

CVE-2019-17572

GHSA ID

GHSA-5x3v-2gxr-59m2

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.