CVE-2023-46604

CVSS V2 None CVSS V3 None

Description

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

Overview

CVE ID
CVE-2023-46604

Assigner
apache

Vulnerability Status
PUBLISHED

Published Version
2023-10-27T14:59:31.046Z

Last Modified Date
2023-11-28T15:02:28.206Z

Weakness Enumerations

CWE	URL
CWE-502	http://cwe.mitre.org/data/definitions/502.html

References

Reference URL	Reference Tags
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt	vendor-advisory
https://www.openwall.com/lists/oss-security/2023/10/27/5
https://security.netapp.com/advisory/ntap-20231110-0010/
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
http://seclists.org/fulldisclosure/2024/Apr/18

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-46604
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46604

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 22:24:52				Added to TrackCVE