CVE-2016-4978

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-4978

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4978.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-4978

Aliases

GHSA-r9vv-xj4w-g8m8

Related

Published

2016-09-27T15:59:01Z

Modified

2024-09-03T01:19:24.490191Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.

References

Affected packages

Git / github.com/apache/activemq-artemis

Affected ranges

Type: GIT
Repo: https://github.com/apache/activemq-artemis
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b305e231ec634a6ee877af7aec45a6d06d78e994

Affected versions

1.*

1.0.0

1.1.0

1.2.0

1.3.0