CVE-2023-46604
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
CVSS
—
No CVSS
EPSS
99.7%
p100
KEV
YES
Nov 2, 2023
Exploit Today
80
0-100
Published: — · Last modified: —
Product
Apache / ActiveMQ
Vulnerability
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
Added to KEV
Nov 2, 2023
Remediate by
Nov 23, 2023
Known ransomware use
Yes
Summary description
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt; https://nvd.nist.gov/vuln/detail/CVE-2023-46604