CVE-2021-20318

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

7.2HIGH

EPSS

2.1%

top 15.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform

Timeline

PublishedDec 23

Latest updateDec 24

Description

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5artemis_in_eap_77.3.9.GA, 7.4.0.GA

▶NVDredhat/jboss_enterprise_application_platform7.3.9, 7.4.0+1

🔴Vulnerability Details

GHSA

GHSA-36vx-8x4w-9h2m: The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978↗2021-12-24

▶

CVEList

CVE-2021-20318: The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978↗2021-12-23

▶

📋Vendor Advisories

Red Hat

7: Incomplete fix of CVE-2016-4978 in HornetQ library↗2021-10-05

▶