ghsa-crg9-44h2-xw35
Vulnerability from github
Published
2023-10-27 15:30
Modified
2023-11-28 22:24
Severity
Summary
Apache ActiveMQ is vulnerable to Remote Code Execution
Details
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.apache.activemq:activemq-client" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "5.15.16" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.activemq:activemq-client" }, "ranges": [ { "events": [ { "introduced": "5.16.0" }, { "fixed": "5.16.7" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.activemq:activemq-client" }, "ranges": [ { "events": [ { "introduced": "5.17.0" }, { "fixed": "5.17.6" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.activemq:activemq-client" }, "ranges": [ { "events": [ { "introduced": "5.18.0" }, { "fixed": "5.18.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.activemq:activemq-openwire-legacy" }, "ranges": [ { "events": [ { "introduced": "5.8.0" }, { "fixed": "5.15.16" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.activemq:activemq-openwire-legacy" }, "ranges": [ { "events": [ { "introduced": "5.16.0" }, { "fixed": "5.16.7" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.activemq:activemq-openwire-legacy" }, "ranges": [ { "events": [ { "introduced": "5.17.0" }, { "fixed": "5.17.6" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.activemq:activemq-openwire-legacy" }, "ranges": [ { "events": [ { "introduced": "5.18.0" }, { "fixed": "5.18.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-46604" ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2023-10-30T20:08:40Z", "nvd_published_at": "2023-10-27T15:15:14Z", "severity": "CRITICAL" }, "details": "Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate\u00a0any class on the classpath.\u00a0\n\nUsers are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.", "id": "GHSA-crg9-44h2-xw35", "modified": "2023-11-28T22:24:39Z", "published": "2023-10-27T15:30:20Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46604" }, { "type": "WEB", "url": "https://github.com/apache/activemq/pull/1098" }, { "type": "WEB", "url": "https://github.com/apache/activemq/commit/80089f9f476afab7d976f5fc37c5ab4aa0c2139d" }, { "type": "WEB", "url": "https://activemq.apache.org/security-advisories.data/CVE-2023-46604" }, { "type": "WEB", "url": "https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt" }, { "type": "PACKAGE", "url": "https://github.com/apache/activemq" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/AMQ-9370" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html" }, { "type": "WEB", "url": "https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231110-0010" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2023/10/27/5" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/27/5" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Apache ActiveMQ is vulnerable to Remote Code Execution" }
Loading...