CVE-2022-42468

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Flume versions 1.4.0 through 1.10.1

Description The issue allows for a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This is due to the JMSSource class being configured with a providerUrl parameter, which performs a JNDI lookup without validation, potentially leading to the deserialization of untrusted data.

Recommendations For Apache Flume versions 1.4.0 through 1.10.1, update to version 1.11.0 to fix the issue by limiting JNDI to allow only the use of the java protocol or no protocol.

Fix

RCE

Special Elements Injection

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-502CWE-20

Related Identifiers

CVE-2022-42468

GHSA-9W4G-FP9H-3Q2V

Affected Products

Apache Flume

CVE-2022-42468

Weakness Enumeration

Related Identifiers

Affected Products

References · 10