9.8

CVE-2022-34916

Improper Input Validation (JNDI Injection) in JMSMessageConsumer

Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheFlume Version >= 1.4.0 < 1.10.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.31% 0.811
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://issues.apache.org/jira/browse/FLUME-3428
Vendor Advisory
Issue Tracking
https://lists.apache.org/thread/qkmt4r2t9tbrxrdbjg1m2oczbvczd9zn
Patch
Vendor Advisory
Mailing List