CVE-2019-17572

MEDIUM

Apache Rocketmq < 4.6.0 - Path Traversal

Title source: rule

Description

In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability. Users of the affected versions should apply one of the following: Upgrade to Apache RocketMQ 4.6.1 or later.

Exploits (1)

nomisec WORKING POC

by shoucheng3 · poc

https://github.com/shoucheng3/apache__rocketmq_CVE-2019-17572_4-6-0

View Code ZIP pw:eip

References (2)

[Broken Link] https://lists.apache.org/thread.html/fdea1c5407da47a17d5522fa149a097cacded1916c1c1534d46edc6d%40%3Cprivate.rocketmq.apache.org%3E

[Mailing List, Third Party Advisory] https://seclists.org/oss-sec/2020/q2/112

Scores

CVSS v3 5.3

EPSS 0.0155

EPSS Percentile 81.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-22

Status published

Products (2)

apache/rocketmq 4.2.0 - 4.6.0

org.apache.rocketmq/rocketmq-broker 4.2.0 - 4.6.1Maven

Published May 14, 2020

Tracked Since Feb 18, 2026