CVE-2016-4974 — Improper Input Validation in Apache Qpid AMQP 0-x JMS

Description

Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.

How to fix CVE-2016-4974

To remediate CVE-2016-4974, upgrade the affected package to a fixed version below.

—upgrade to 0.10.0 or later

Is CVE-2016-4974 being exploited?

Moderate — EPSS is 6.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 0.10.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-4974
WEBpacketstormsecurity.com/files/137749/Apache-Qpid-Untrusted-Input-Deserialization.html
WEBqpid.apache.org/components/jms/security-0-x.html
WEBqpid.apache.org/components/jms/security.html