Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2023-46604
Good to know:
Date: October 27, 2023
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
Language: Java
Severity Score
Related Resources (11)
Severity Score
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502Top Fix
Upgrade Version
Upgrade to version org.apache.activemq:activemq-client:5.15.16,5.16.7,5.17.6,5.18.3, org.apache.activemq:activemq-openwire-legacy:5.15.16,5.16.7,5.17.6,5.18.3, org.apache.activemq:activemq-client-jakarta:5.18.3, org.apache.activemq:activemq-all:5.15.16,5.16.7,5.17.6,5.18.3, org.apache.activemq:activemq-osgi:5.15.16,5.16.7,5.17.6,5.18.3
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |