Home > Vulnerability Database > CVE-2022-25167

Mend.io Vulnerability Database

CVE-2022-25167

Good to know:

Date: June 14, 2022

Apache Flume versions 1.4.0 through 1.9.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

Language: Java

Severity Score

9.8

Related Resources (7)

Url: http://www.openwall.com/lists/oss-security/2022/06/14/1

Url: https://github.com/apache/flume

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-25167

Url: https://issues.apache.org/jira/browse/FLUME-3416

Url: https://github.com/apache/flume/commit/dafb26ccb172141c6e14e95447e1b6ae38e9a7d0

Url: https://lists.apache.org/thread/16nf6b81zjpdc4y93ho99oxo83ddbsvg

Url: https://www.mend.io/vulnerability-database/CVE-2022-25167

Severity Score

9.8

Weakness Type (CWE)

Improper Input Validation

CWE-20

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version org.apache.flume.flume-ng-sources:flume-jms-source:1.10.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-25167

Good to know:

Date: June 14, 2022

Language: Java

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?