CVE-2022-42468
published 2022-10-26CVE-2022-42468: Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | flume | 1.4.0 – 1.10.1 | — |
| apache_software_foundation | apache_flume | >= Flume JMSSource < 1.11.0 | 1.11.0 |