CVE-2022-42468

Опубликовано: 26 окт. 2022

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

Ссылки

https://issues.apache.org/jira/browse/FLUME-3437
Issue Tracking
Vendor Advisory
https://lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz
Mailing List
Vendor Advisory
https://lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78
Mailing List
Patch
Vendor Advisory
https://issues.apache.org/jira/browse/FLUME-3437
Issue Tracking
Vendor Advisory
https://lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz
Mailing List
Vendor Advisory
https://lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78
Mailing List
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:flume:*:*:*:*:*:*:*:*

Версия от 1.4.0 (включая) до 1.10.1 (включая)

EPSS

Процентиль: 83%

0.01883

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-20

Связанные уязвимости

GHSA-9w4g-fp9h-3q2v