CVE-2015-5254 – org.apache.activemq:activemq-client

Package

Manager: maven
Name: org.apache.activemq:activemq-client
Vulnerable Version: >=5.0.0 <5.11.3 || >=5.12.0 <5.12.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.80393 pctl0.9909

Details

Improper Input Validation in Apache ActiveMQ Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

Metadata

Created: 2022-05-13T01:30:05Z
Modified: 2023-12-20T20:12:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q9hr-3pg4-3jp4/GHSA-q9hr-3pg4-3jp4.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-q9hr-3pg4-3jp4
Finding: F184
Auto approve: 1