CVE-2023-33246

Apache RocketMQ: Possible remote code execution vulnerability when using the update configuration function

Basic Information

CVE State: PUBLISHED
Reserved Date: May 21, 2023
Published Date: May 24, 2023
Last Updated: February 13, 2025
Vendor: Apache Software Foundation
Product: Apache RocketMQ
Description: For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2023-09-06 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2023-10-28 07:08:19 UTC) Source

References

https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html http://www.openwall.com/lists/oss-security/2023/07/12/1

Known Exploited Vulnerability Information

Source	Added Date
CISA	2023-09-06 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_rocketmq_update_config.rb	2025-04-29 11:01:20 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2023/CVE-2023-33246.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

apache_rocketmq_update_config

Type: metasploit • Created: Unknown

Metasploit module for CVE-2023-33246

0xKayala/CVE-2023-33246

Type: github • Created: 2023-10-28 07:08:19 UTC • Stars: 2

CVE-2023-33246 - Apache RocketMQ config RCE

AiK1d/CVE-2023-33246

Type: github • Created: 2023-06-02 01:41:12 UTC • Stars: 2

CVE-2023-33246：Apache RocketMQ 远程命令执行漏洞检测工具

Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT

Type: github • Created: 2023-06-01 14:48:26 UTC • Stars: 100

CVE-2023-33246 RocketMQ RCE Detect By Version and Exploit

SuperZero/CVE-2023-33246

Type: github • Created: 2023-06-01 06:27:09 UTC • Stars: 106

Apache RocketMQ 远程代码执行漏洞(CVE-2023-33246) Exploit

Le1a/CVE-2023-33246

Type: github • Created: 2023-06-01 02:17:20 UTC • Stars: 80

Apache RocketMQ 远程代码执行漏洞(CVE-2023-33246) Exploit

4mazing/CVE-2023-33246-Copy

Type: github • Created: 2023-05-31 07:28:46 UTC • Stars: 2

I5N0rth/CVE-2023-33246

Type: github • Created: 2023-05-30 02:18:29 UTC • Stars: 62