GHSA-crg9-44h2-xw35
Suggest an improvement- Source
- https://github.com/advisories/GHSA-crg9-44h2-xw35
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-crg9-44h2-xw35/GHSA-crg9-44h2-xw35.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-crg9-44h2-xw35
- Aliases
- Published
- 2023-10-27T15:30:20Z
- Modified
- 2024-02-17T05:36:54.720233Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H CVSS Calculator
- Summary
- Apache ActiveMQ is vulnerable to Remote Code Execution
- Details
-
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-46604
- https://github.com/apache/activemq/pull/1098
- https://github.com/apache/activemq/commit/80089f9f476afab7d976f5fc37c5ab4aa0c2139d
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
- https://github.com/apache/activemq
- https://issues.apache.org/jira/browse/AMQ-9370
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
- https://security.netapp.com/advisory/ntap-20231110-0010
- https://www.openwall.com/lists/oss-security/2023/10/27/5
- http://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2023/10/27/5
Affected packages
Maven / org.apache.activemq:activemq-client
Package
- Name
- org.apache.activemq:activemq-client
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.activemq/activemq-client
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.15.16
Affected versions
5.*
5.8.0
5.9.0
5.9.1
5.10.0
5.10.1
5.10.2
5.11.0
5.11.1
5.11.2
5.11.3
5.11.4
5.12.0
5.12.1
5.12.2
5.12.3
5.13.0
5.13.1
5.13.2
5.13.3
5.13.4
5.13.5
5.14.0
5.14.1
5.14.2
5.14.3
5.14.4
5.14.5
5.15.0
5.15.1
5.15.2
5.15.3
5.15.4
5.15.5
5.15.6
5.15.7
5.15.8
5.15.9
5.15.10
5.15.11
5.15.12
5.15.13
5.15.14
5.15.15
Maven / org.apache.activemq:activemq-client
Package
- Name
- org.apache.activemq:activemq-client
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.activemq/activemq-client
Maven / org.apache.activemq:activemq-client
Package
- Name
- org.apache.activemq:activemq-client
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.activemq/activemq-client
Maven / org.apache.activemq:activemq-client
Package
- Name
- org.apache.activemq:activemq-client
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.activemq/activemq-client
Maven / org.apache.activemq:activemq-openwire-legacy
Package
- Name
- org.apache.activemq:activemq-openwire-legacy
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.activemq/activemq-openwire-legacy
Affected versions
5.*
5.8.0
5.9.0
5.9.1
5.10.0
5.10.1
5.10.2
5.11.0
5.11.1
5.11.2
5.11.3
5.11.4
5.12.0
5.12.1
5.12.2
5.12.3
5.13.0
5.13.1
5.13.2
5.13.3
5.13.4
5.13.5
5.14.0
5.14.1
5.14.2
5.14.3
5.14.4
5.14.5
5.15.0
5.15.1
5.15.2
5.15.3
5.15.4
5.15.5
5.15.6
5.15.7
5.15.8
5.15.9
5.15.10
5.15.11
5.15.12
5.15.13
5.15.14
5.15.15
Maven / org.apache.activemq:activemq-openwire-legacy
Package
- Name
- org.apache.activemq:activemq-openwire-legacy
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.activemq/activemq-openwire-legacy
Maven / org.apache.activemq:activemq-openwire-legacy
Package
- Name
- org.apache.activemq:activemq-openwire-legacy
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.activemq/activemq-openwire-legacy
Maven / org.apache.activemq:activemq-openwire-legacy
Package
- Name
- org.apache.activemq:activemq-openwire-legacy
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.activemq/activemq-openwire-legacy