CVE-2022-42468
CRITICALApache Flume 1.4.0-1.10.1 - Remote Code Execution via JMS Source ProviderURL
Title source: llmDescription
Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
References (3)
Core 3
Core References
Issue Tracking, Vendor Advisory
https://issues.apache.org/jira/browse/FLUME-3437
Mailing List, Vendor Advisory
https://lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz
Mailing List, Patch, Vendor Advisory
https://lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78
Scores
CVSS v3
9.8
EPSS
0.0640
EPSS Percentile
91.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-74
CWE-20
Status
published
Products (2)
apache/flume
1.4.0 - 1.10.1
org.apache.flume.flume-ng-sources/flume-jms-source
0 - 1.11.0Maven
Published
Oct 26, 2022
Tracked Since
Feb 18, 2026