QwikSec

Security Database

CVE

CWE

Training

CVE-2016-4974

Published: Jul 13, 2016

Modified: Aug 6, 2024

PUBLISHED

Description

Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

vdb-entry

x_refsource_BID

20160702 [SECURITY] CVE-2016-4974: Apache Qpid: deserialization of untrusted input while using JMS ObjectMessage

mailing-list

x_refsource_BUGTRAQ

https://issues.apache.org/jira/browse/QPIDJMS-188

x_refsource_CONFIRM

vdb-entry

x_refsource_SECTRACK

http://qpid.apache.org/components/jms/security-0-x.html

x_refsource_CONFIRM

http://packetstormsecurity.com/files/137749/Apache-Qpid-Untrusted-Input-Deserialization.html

x_refsource_MISC

http://qpid.apache.org/components/jms/security.html

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.