Improper Input Validation in Apache Qpid AMQP 0-x JMS
RSS Feed
HIGH
GHSA-f38p-mq64-h784
CVE-2016-4974
Description:
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.
Affected Packages
| Ecosystem | Package | Vulnerable Versions | Patched Version |
|---|---|---|---|
| maven |
org.apache.qpid:qpid-jms-client
|
<= 0.9.0 |
0.10.0
|
Actions
Advisory Details
| Published: | May 14, 2022 about 4 years ago |
| Updated: | June 10, 2026 7 days ago |
| CVSS Score: | 7.5 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| EPSS: | 2.13% 85th percentile |
| Source: | Github |
| Classification: | GENERAL |
| UUID: | GSA_kwCzR0hTQS1mMzhwLW1xNjQtaDc4NM4AAV98 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2016-4974
- https://issues.apache.org/jira/browse/QPIDJMS-188
- http://packetstormsecurity.com/files/137749/Apache-Qpid-Untrusted-Input-Deserialization.html
- http://qpid.apache.org/components/jms/security-0-x.html
- http://qpid.apache.org/components/jms/security.html
- https://github.com/advisories/GHSA-f38p-mq64-h784