CVE-2016-4974

HIGH

Apache Qpid AMQP JMS Client < 6.0.4 & JMS (AMQP 1.0) < 0.10.0 - RCE via JMS ObjectMessage Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-4974. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains source code for Apache Qpid Broker-J, specifically the BerkeleyDB store component, which is vulnerable to CVE-2016-4974. The code includes JMX management beans and backup scripts, but no explicit exploit PoC is present.

Description

Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.

Exploits (2)

nomisec WRITEUP
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2016-4974-qpid-broker-j-vulnerable

This repository contains source code for Apache Qpid Broker-J, specifically the BerkeleyDB store component, which is vulnerable to CVE-2016-4974. The code includes JMX management beans and backup scripts, but no explicit exploit PoC is present.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Apache Qpid Broker-J (BerkeleyDB store component)
No auth needed
Prerequisites: Access to vulnerable Qpid Broker-J instance
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2016-4974-qpid-broker-j-vulnerable

This repository contains source code files from Apache Qpid Broker-J, specifically the BerkeleyDB store component, which is vulnerable to CVE-2016-4974. The files include Java classes and a backup script, but no explicit exploit code is present. The repository appears to be a snapshot of the vulnerable codebase rather than a functional exploit or analysis.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Apache Qpid Broker-J (BerkeleyDB store component)
No auth needed
Prerequisites: Access to vulnerable Apache Qpid Broker-J instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91537
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/538813/100/0/threaded
Issue Tracking x_refsource_confirm
https://issues.apache.org/jira/browse/QPIDJMS-188
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036239
Vendor Advisory x_refsource_confirm
http://qpid.apache.org/components/jms/security-0-x.html
Vendor Advisory x_refsource_confirm
http://qpid.apache.org/components/jms/security.html

Scores

CVSS v3 7.5
EPSS 0.0213
EPSS Percentile 84.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (3)
apache/amqp_0-x_jms_client < 6.0.3
apache/jms_client_amqp < 0.9.0
org.apache.qpid/qpid-jms-client 0 - 0.10.0Maven
Published Jul 13, 2016
Tracked Since Feb 18, 2026