CVE-2016-4978
Artemis: Deserialization of untrusted input vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
El método getObject de la clase javax.jms.ObjectMessage en el (1) cliente JMS Core, (2) broker Artemis y (3) componente Artemis REST en Apache ActiveMQ Artemis en versiones anteriores a 1.4.0 podría permitir a usuarios remotos autenticados con permiso, mandar mensajes al broker Artemis para deserializar objetos arbitrarios y ejecutar código arbitrario aprovechando clases de gadget presentes en la ruta de clases Artemis.
It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-05-24 CVE Reserved
- 2016-09-27 CVE Published
- 2023-11-20 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (22)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 5.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "5.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.4.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 5.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "5.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.4.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.4.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.1.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.1.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Safe
|
Apache Search vendor "Apache" | Activemq Artemis Search vendor "Apache" for product "Activemq Artemis" | < 1.4.0 Search vendor "Apache" for product "Activemq Artemis" and version " < 1.4.0" | - |
Affected
|