CVE-2023-37582
CVE-2023-37582 is a critical-severity vulnerability in Apache Rocketmq with a CVSS 3.x base score of 9.8. Its EPSS exploit-prediction score of 90% places it in the 100th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-94.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 90% (100th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-94
- Affected product: Apache Rocketmq
- Published:
- Last modified:
Description
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.
Frequently asked questions
- What is CVE-2023-37582?
- The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.
- How severe is CVE-2023-37582?
- CVE-2023-37582 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-37582 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 90% (100th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-37582?
- CVE-2023-37582 affects Apache Rocketmq. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-37582?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2023-37582 published?
- CVE-2023-37582 was published on 2023-07-12 and last updated on 2026-06-17.
References
- http://www.openwall.com/lists/oss-security/2023/07/12/1
- https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
Affected products (1)
- cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*
More vulnerabilities in Apache Rocketmq
- CVE-2023-33246 — Critical (CVSS 9.8): For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command…
- CVE-2024-23321 — High (CVSS 8.8): For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information…
- CVE-2019-17572 — Medium (CVSS 5.3): In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil…
All CVEs affecting Apache Rocketmq →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.