GHSA-crg9-44h2-xw35

Suggest an improvement
Source
https://github.com/advisories/GHSA-crg9-44h2-xw35
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-crg9-44h2-xw35/GHSA-crg9-44h2-xw35.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-crg9-44h2-xw35
Aliases
Published
2023-10-27T15:30:20Z
Modified
2024-02-17T05:36:54.720233Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H CVSS Calculator
Summary
Apache ActiveMQ is vulnerable to Remote Code Execution
Details

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. 

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Database specific
{
    "nvd_published_at": "2023-10-27T15:15:14Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-30T20:08:40Z"
}
References

Affected packages

Maven / org.apache.activemq:activemq-client

Package

Name
org.apache.activemq:activemq-client
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.16

Affected versions

5.*

5.8.0
5.9.0
5.9.1
5.10.0
5.10.1
5.10.2
5.11.0
5.11.1
5.11.2
5.11.3
5.11.4
5.12.0
5.12.1
5.12.2
5.12.3
5.13.0
5.13.1
5.13.2
5.13.3
5.13.4
5.13.5
5.14.0
5.14.1
5.14.2
5.14.3
5.14.4
5.14.5
5.15.0
5.15.1
5.15.2
5.15.3
5.15.4
5.15.5
5.15.6
5.15.7
5.15.8
5.15.9
5.15.10
5.15.11
5.15.12
5.15.13
5.15.14
5.15.15

Maven / org.apache.activemq:activemq-client

Package

Name
org.apache.activemq:activemq-client
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.7

Affected versions

5.*

5.16.0
5.16.1
5.16.2
5.16.3
5.16.4
5.16.5
5.16.6

Maven / org.apache.activemq:activemq-client

Package

Name
org.apache.activemq:activemq-client
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
5.17.6

Affected versions

5.*

5.17.0
5.17.1
5.17.2
5.17.3
5.17.4
5.17.5

Maven / org.apache.activemq:activemq-client

Package

Name
org.apache.activemq:activemq-client
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
5.18.3

Affected versions

5.*

5.18.0
5.18.1
5.18.2

Maven / org.apache.activemq:activemq-openwire-legacy

Package

Name
org.apache.activemq:activemq-openwire-legacy
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-openwire-legacy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
5.15.16

Affected versions

5.*

5.8.0
5.9.0
5.9.1
5.10.0
5.10.1
5.10.2
5.11.0
5.11.1
5.11.2
5.11.3
5.11.4
5.12.0
5.12.1
5.12.2
5.12.3
5.13.0
5.13.1
5.13.2
5.13.3
5.13.4
5.13.5
5.14.0
5.14.1
5.14.2
5.14.3
5.14.4
5.14.5
5.15.0
5.15.1
5.15.2
5.15.3
5.15.4
5.15.5
5.15.6
5.15.7
5.15.8
5.15.9
5.15.10
5.15.11
5.15.12
5.15.13
5.15.14
5.15.15

Maven / org.apache.activemq:activemq-openwire-legacy

Package

Name
org.apache.activemq:activemq-openwire-legacy
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-openwire-legacy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.7

Affected versions

5.*

5.16.0
5.16.1
5.16.2
5.16.3
5.16.4
5.16.5
5.16.6

Maven / org.apache.activemq:activemq-openwire-legacy

Package

Name
org.apache.activemq:activemq-openwire-legacy
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-openwire-legacy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
5.17.6

Affected versions

5.*

5.17.0
5.17.1
5.17.2
5.17.3
5.17.4
5.17.5

Maven / org.apache.activemq:activemq-openwire-legacy

Package

Name
org.apache.activemq:activemq-openwire-legacy
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-openwire-legacy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
5.18.3

Affected versions

5.*

5.18.0
5.18.1
5.18.2