Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.rocketmq/rocketmq-broker@4.6.1
Typemaven
Namespaceorg.apache.rocketmq
Namerocketmq-broker
Version4.6.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.9.7
Latest_non_vulnerable_version5.1.2
Affected_by_vulnerabilities
0
url VCID-jk3w-dds4-qbhw
vulnerability_id VCID-jk3w-dds4-qbhw
summary 
RocketMQ NameServer component Code Injection vulnerability
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1.

When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.

It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-37582
reference_id
reference_type
scores
0
value 0.94002
scoring_system epss
scoring_elements 0.99897
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-37582
1
reference_url https://github.com/apache/rocketmq
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/rocketmq
2
reference_url https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:27:22Z/
url https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
3
reference_url http://www.openwall.com/lists/oss-security/2023/07/12/1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:27:22Z/
url http://www.openwall.com/lists/oss-security/2023/07/12/1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37582
reference_id CVE-2023-37582
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-37582
5
reference_url https://github.com/advisories/GHSA-gpq8-963w-8qc9
reference_id GHSA-gpq8-963w-8qc9
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gpq8-963w-8qc9
fixed_packages
0
url pkg:maven/org.apache.rocketmq/rocketmq-broker@4.9.7
purl pkg:maven/org.apache.rocketmq/rocketmq-broker@4.9.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.rocketmq/rocketmq-broker@4.9.7
1
url pkg:maven/org.apache.rocketmq/rocketmq-broker@5.1.2
purl pkg:maven/org.apache.rocketmq/rocketmq-broker@5.1.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.rocketmq/rocketmq-broker@5.1.2
aliases CVE-2023-37582, GHSA-gpq8-963w-8qc9
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jk3w-dds4-qbhw
Fixing_vulnerabilities
0
url VCID-73wm-tvyt-buap
vulnerability_id VCID-73wm-tvyt-buap
summary 
Path Traversal
In Apache RocketMQ, when the automatic topic creation in the broker is turned on by default, an evil topic like `../../../../topic2020` is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-17572
reference_id
reference_type
scores
0
value 0.01547
scoring_system epss
scoring_elements 0.8173
published_at 2026-06-04T12:55:00Z
1
value 0.01547
scoring_system epss
scoring_elements 0.8176
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-17572
1
reference_url https://github.com/apache/rocketmq/commit/f8f6fbe4aa7f5dee937e688322628c366b12a552
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/rocketmq/commit/f8f6fbe4aa7f5dee937e688322628c366b12a552
2
reference_url https://github.com/apache/rocketmq/issues/1637
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/rocketmq/issues/1637
3
reference_url https://lists.apache.org/thread.html/fdea1c5407da47a17d5522fa149a097cacded1916c1c1534d46edc6d%40%3Cprivate.rocketmq.apache.org%3E
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/fdea1c5407da47a17d5522fa149a097cacded1916c1c1534d46edc6d%40%3Cprivate.rocketmq.apache.org%3E
4
reference_url https://seclists.org/oss-sec/2020/q2/112
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://seclists.org/oss-sec/2020/q2/112
5
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEROCKETMQ-569108
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEROCKETMQ-569108
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-17572
reference_id CVE-2019-17572
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-17572
7
reference_url https://github.com/advisories/GHSA-5x3v-2gxr-59m2
reference_id GHSA-5x3v-2gxr-59m2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5x3v-2gxr-59m2
fixed_packages
0
url pkg:maven/org.apache.rocketmq/rocketmq-broker@4.6.1
purl pkg:maven/org.apache.rocketmq/rocketmq-broker@4.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jk3w-dds4-qbhw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.rocketmq/rocketmq-broker@4.6.1
aliases CVE-2019-17572, GHSA-5x3v-2gxr-59m2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-73wm-tvyt-buap
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.rocketmq/rocketmq-broker@4.6.1