CVE-2016-4974 – org.apache.qpid:qpid-jms-client

Package

Manager: maven
Name: org.apache.qpid:qpid-jms-client
Vulnerable Version: >=0 <0.10.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02129 pctl0.8351

Details

Improper Input Validation in Apache Qpid AMQP 0-x JMS Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.

Metadata

Created: 2022-05-14T02:46:14Z
Modified: 2022-07-06T19:53:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f38p-mq64-h784/GHSA-f38p-mq64-h784.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-f38p-mq64-h784
Finding: F184
Auto approve: 1