CVE-2022-42468

CVSS v3.1 9.8 (Critical)

EPSS 0.64 % (79^th)

Affected Products 1

Advisories 1

Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

Weaknesses

CWE-20: Improper Input Validation
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVE Status: PUBLISHED
CNA: Apache Software Foundation
Published Date: 2022-10-26 16:15:11
(23 months ago)
Updated Date: 2022-10-28 17:41:20
(23 months ago)

Affected Products

Apache

Flume

Configuration #1

		CPE23	From	Up To
	Apache Flume from 1.4.0 version and 1.10.1 and prior versions	cpe:2.3:a:apache:flume	>= 1.4.0	<= 1.10.1