Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.rocketmq/rocketmq-client@4.3.0

Type maven

Namespace org.apache.rocketmq

Name rocketmq-client

Version 4.3.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.1.2

Latest_non_vulnerable_version 5.1.2

Affected_by_vulnerabilities

url VCID-1328-ts31-5qak

vulnerability_id VCID-1328-ts31-5qak

summary

Improper Control of Generation of Code ('Code Injection')
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. 

Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. 

To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .

references

reference_url

http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T20:30:17Z/

url

http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-33246.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-33246.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-33246

reference_id

reference_type

scores

value	0.94388
scoring_system	epss
scoring_elements	0.99972
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-33246

reference_url

https://github.com/apache/rocketmq

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/rocketmq

reference_url

https://github.com/apache/rocketmq/commit/9d411cf04a695e7a3f41036e8377b0aa544d754d

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/rocketmq/commit/9d411cf04a695e7a3f41036e8377b0aa544d754d

reference_url

https://github.com/apache/rocketmq/commit/c3ada731405c5990c36bf58d50b3e61965300703

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/rocketmq/commit/c3ada731405c5990c36bf58d50b3e61965300703

reference_url

https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T20:30:17Z/

url

https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp

reference_url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33246

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33246

reference_url

https://www.vicarius.io/vsociety/posts/rocketmq-rce-cve-2023-33246-33247

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.vicarius.io/vsociety/posts/rocketmq-rce-cve-2023-33246-33247

reference_url

http://www.openwall.com/lists/oss-security/2023/07/12/1

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T20:30:17Z/

url

http://www.openwall.com/lists/oss-security/2023/07/12/1

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2317265
reference_id	2317265
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2317265

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-33246

reference_id

CVE-2023-33246

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-33246

reference_url

https://github.com/jakabakos/CVE-2023-33246_Apache_RocketMQ_RCE

reference_id

CVE-2023-33246_APACHE_ROCKETMQ_RCE

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/jakabakos/CVE-2023-33246_Apache_RocketMQ_RCE

reference_url

https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT

reference_id

CVE-2023-33246_ROCKETMQ_RCE_EXPLOIT

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT

reference_url	https://github.com/advisories/GHSA-x3cq-8f32-5f63
reference_id	GHSA-x3cq-8f32-5f63
reference_type
scores
url	https://github.com/advisories/GHSA-x3cq-8f32-5f63

fixed_packages

url pkg:maven/org.apache.rocketmq/rocketmq-client@5.1.1

purl pkg:maven/org.apache.rocketmq/rocketmq-client@5.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-jk3w-dds4-qbhw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.rocketmq/rocketmq-client@5.1.1

aliases CVE-2023-33246, GHSA-x3cq-8f32-5f63

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1328-ts31-5qak

url VCID-73wm-tvyt-buap

vulnerability_id VCID-73wm-tvyt-buap

summary

Path Traversal
In Apache RocketMQ, when the automatic topic creation in the broker is turned on by default, an evil topic like `../../../../topic2020` is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-17572

reference_id

reference_type

scores

value	0.01547
scoring_system	epss
scoring_elements	0.8173
published_at	2026-06-04T12:55:00Z

value	0.01547
scoring_system	epss
scoring_elements	0.8176
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-17572

reference_url

https://github.com/apache/rocketmq/commit/f8f6fbe4aa7f5dee937e688322628c366b12a552

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/rocketmq/commit/f8f6fbe4aa7f5dee937e688322628c366b12a552

reference_url

https://github.com/apache/rocketmq/issues/1637

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/rocketmq/issues/1637

reference_url

https://lists.apache.org/thread.html/fdea1c5407da47a17d5522fa149a097cacded1916c1c1534d46edc6d%40%3Cprivate.rocketmq.apache.org%3E

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/fdea1c5407da47a17d5522fa149a097cacded1916c1c1534d46edc6d%40%3Cprivate.rocketmq.apache.org%3E

reference_url

https://seclists.org/oss-sec/2020/q2/112

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://seclists.org/oss-sec/2020/q2/112

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEROCKETMQ-569108

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEROCKETMQ-569108

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-17572

reference_id

CVE-2019-17572

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-17572

reference_url

https://github.com/advisories/GHSA-5x3v-2gxr-59m2

reference_id

GHSA-5x3v-2gxr-59m2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5x3v-2gxr-59m2

fixed_packages

url pkg:maven/org.apache.rocketmq/rocketmq-client@4.6.1

purl pkg:maven/org.apache.rocketmq/rocketmq-client@4.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1328-ts31-5qak

vulnerability	VCID-jk3w-dds4-qbhw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.rocketmq/rocketmq-client@4.6.1

aliases CVE-2019-17572, GHSA-5x3v-2gxr-59m2

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-73wm-tvyt-buap

url VCID-jk3w-dds4-qbhw

vulnerability_id VCID-jk3w-dds4-qbhw

summary

RocketMQ NameServer component Code Injection vulnerability
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1.

When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.

It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-37582

reference_id

reference_type

scores

value	0.94002
scoring_system	epss
scoring_elements	0.99897
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-37582

reference_url

https://github.com/apache/rocketmq

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/rocketmq

reference_url

https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:27:22Z/

url

https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc

reference_url

http://www.openwall.com/lists/oss-security/2023/07/12/1

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:27:22Z/

url

http://www.openwall.com/lists/oss-security/2023/07/12/1

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-37582

reference_id

CVE-2023-37582

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-37582

reference_url	https://github.com/advisories/GHSA-gpq8-963w-8qc9
reference_id	GHSA-gpq8-963w-8qc9
reference_type
scores
url	https://github.com/advisories/GHSA-gpq8-963w-8qc9

fixed_packages

url pkg:maven/org.apache.rocketmq/rocketmq-client@4.9.7

purl pkg:maven/org.apache.rocketmq/rocketmq-client@4.9.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1328-ts31-5qak

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.rocketmq/rocketmq-client@4.9.7

url	pkg:maven/org.apache.rocketmq/rocketmq-client@5.1.2
purl	pkg:maven/org.apache.rocketmq/rocketmq-client@5.1.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.rocketmq/rocketmq-client@5.1.2

aliases CVE-2023-37582, GHSA-gpq8-963w-8qc9

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jk3w-dds4-qbhw

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.rocketmq/rocketmq-client@4.3.0

Package Instance