CVE-2016-4978 – org.apache.activemq:artemis-pom

Package

Manager: maven
Name: org.apache.activemq:artemis-pom
Vulnerable Version: >=0 <1.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01168 pctl0.77844

Details

Apache ActiveMQ Artemis RCE Via Deserialization Gadget Chain The getObject method of the `javax.jms.ObjectMessage` class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.

Metadata

Created: 2022-05-13T01:11:53Z
Modified: 2023-11-01T20:55:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r9vv-xj4w-g8m8/GHSA-r9vv-xj4w-g8m8.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-r9vv-xj4w-g8m8
Finding: F096
Auto approve: 1