CVE-2020-36282 — Unsafe Deserialization that can Result in Code Execution

Description

JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 is vulnerable to unsafe deserialization that can result in code execution via crafted StreamMessage data.

How to fix CVE-2020-36282

To remediate CVE-2020-36282, upgrade the affected package to a fixed version below.

Maven/com.rabbitmq.jms:rabbitmq-jms—upgrade to 2.2.0 or later

Is CVE-2020-36282 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0, < 2.2.0

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-36282
WEBgithub.com/rabbitmq/rabbitmq-jms-client/issues/135
WEBgithub.com/rabbitmq/rabbitmq-jms-client/pull/136/commits/f647e5dbfe055a2ca8cbb16dd70f9d50d888b638
WEBgithub.com/rabbitmq/rabbitmq-jms-client/releases/tag/v1.15.2