CVE-2022-42468: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

October 26, 2022 (updated July 28, 2023)

Apache Flume versions 1.4.0 through 1.10.1 is vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

References

github.com/advisories/GHSA-9w4g-fp9h-3q2v
github.com/apache/flume/commit/eee179a09df405c1ab55ae25a53b76ca1050bb97
issues.apache.org/jira/browse/FLUME-3437
lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz
lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78
nvd.nist.gov/vuln/detail/CVE-2022-42468

Detect and mitigate CVE-2022-42468 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →