CVE-2022-34916: Improper Input Validation (JNDI Injection) in JMSMessageConsumer
First published: Sun Aug 21 2022(Updated: )
Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Flume | >=1.4.0<1.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/severity
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- vendor/apache
- canonical/apache flume
- version/apache flume/1.4.0