www.cve.org
Open in
urlscan Pro
18.245.60.39
Public Scan
URL:
https://www.cve.org/CVERecord?id=CVE-2023-46604
Submission: On December 14 via api from IN — Scanned from DE
Submission: On December 14 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
We're sorry but cve-website doesn't work properly without JavaScript enabled. Please enable it to continue. Skip to main content AboutAbout OverviewHistoryProcessRelated EffortsMetrics Partner InformationPartner Information PartnerList of Partners Program OrganizationProgram Organization StructureProgram Relationship with PartnersBoardWorking GroupsCVE Numbering Authorities DownloadsDownloads Resources & SupportResources & Support ResourcesGlossaryFAQs AllRecentArchivesNewsletter Sign-Up Reserve IDs & Publish RecordsCVE Services Report/RequestReport/Request CNAs Non-CNAs Site Search Find Find CVE Records by keyword. Site Search alert Welcome to the new CVE Beta website! CVE Records have a new and enhanced format. View records in the new format using the CVE ID lookup above or download them on the Downloadspage. CVE List keyword search external link will be temporarily hosted on the legacy cve.mitre.org external link website until the transitionis complete. alert Welcome to the new CVE Beta website! CVE Records have a new and enhanced format. View records in the new format using the CVE ID lookup above or download them on the Downloadspage. CVE List keyword search external link will be temporarily hosted on the legacy cve.mitre.org external link website until the transitionis complete. Expand or collapse notification button close notification button CVE-2023-46604 PUBLISHED View JSON Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack information Important CVE JSON 5 Information collapse Assigner: Apache Software Foundation Published: 2023-10-27Updated: 2023-11-28 The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. PRODUCT STATUS information Learn About the Versions Section collapse Vendor Apache Software Foundation Product Apache ActiveMQ Versions Default Status: unaffected * affected from 5.18.0 before 5.18.3 * affected from 5.17.0 before 5.17.6 * affected from 5.16.0 before 5.16.7 * affected from 0 before 5.15.16 Vendor Apache Software Foundation Product Apache ActiveMQ Legacy OpenWire Module Versions Default Status: unaffected * affected from 5.18.0 before 5.18.3 * affected from 5.17.0 before 5.17.6 * affected from 5.16.0 before 5.16.7 * affected from 5.8.0 before 5.15.16 CREDITS * yejie@threatbook.cn finder REFERENCES * https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt external site vendor-advisory * https://www.openwall.com/lists/oss-security/2023/10/27/5 external site * https://security.netapp.com/advisory/ntap-20231110-0010/ external site * https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html external site * https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html external site View additional information about CVE-2023-46604 external site on NVD. (Note: The NVD is not operated by the CVE Program) POLICIES & COOKIES * Terms of Use * Website Security Policy * Privacy Policy * Cookie Notice * Manage Cookies MEDIA * News * Blogs * Podcasts * Email newsletter sign up SOCIAL MEDIA github linkedin mastodon youtube medium twitter for CVE New New CVE Records twitter for CVE announce CVE Announce CONTACT * CVE Program Support external site * CNA Partners * CVE Website Support external site * CVE Program Idea Tracker external site Use of the CVE® List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) external link Cybersecurity and Infrastructure Security Agency (CISA) external link . Copyright © 1999-2023, The MITRE Corporation external link . CVE and the CVE logo are registered trademarks of The MITRE Corporation.