Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 May 2020 15:11:14 +0800 (GMT+08:00)
From: ShannonDing <>
To: "" <>
Cc: "" <>
Subject: [SECURITY][CVE-2019-17572] Apache RocketMQ directory traversal

An directory traversal vulnerability[1] was discovered in the version RocketMQ 4.6.0 and it affect all
versions earlier. And it was fixed[2] in the version 4.6.1 and later according to the CVE-2019-17572.
Here is the detail of the vulnerability below:

[PRODUCT]:Apache RocketMQ
[VERSIONS]:Apache RocketMQ 4.2.0 to 4.6.0
[PROBLEMTYPE]: Directory traversal vulnerability
[DESCRIPTION]:When the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker,  a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability.
[MITIGATION]: Users of the affected versions should apply one of the following:
- Upgrade to Apache RocketMQ 4.6.1or later


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.