GHSA-f38p-mq64-h784

Source

https://github.com/advisories/GHSA-f38p-mq64-h784

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f38p-mq64-h784/GHSA-f38p-mq64-h784.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f38p-mq64-h784

Aliases

CVE-2016-4974

Published

2022-05-14T02:46:14Z

Modified

2023-11-08T03:58:29.923117Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper Input Validation in Apache Qpid AMQP 0-x JMS

Details

Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.

Database specific

{
    "nvd_published_at": "2016-07-13T15:59:00Z",
    "github_reviewed_at": "2022-07-06T19:53:45Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ]
}

References

Affected packages

Maven / org.apache.qpid:qpid-jms-client

Package

Name: org.apache.qpid:qpid-jms-client; View open source insights on deps.dev
Purl: pkg:maven/org.apache.qpid/qpid-jms-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.10.0

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

0.6.0

0.7.0

0.8.0

0.9.0

Database specific

{
    "last_known_affected_version_range": "<= 0.9.0"
}