CVE-2023-46604 – org.apache.activemq:activemq-client

Package

Manager: maven
Name: org.apache.activemq:activemq-client
Vulnerable Version: >=0 <5.15.16 || >=5.16.0 <5.16.7 || >=5.17.0 <5.17.6 || >=5.18.0 <5.18.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

EPSS: 0.94436 pctl0.99986

Details

Apache ActiveMQ is vulnerable to Remote Code Execution Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.  Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Metadata

Created: 2023-10-27T15:30:20Z
Modified: 2025-02-13T19:20:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-crg9-44h2-xw35/GHSA-crg9-44h2-xw35.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-crg9-44h2-xw35
Finding: F096
Auto approve: 1