CVE-2022-42468: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

October 26, 2022 (updated October 27, 2022)

Apache Flume versions 1.4.0 through 1.10.1 is vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

References

github.com/advisories/GHSA-9w4g-fp9h-3q2v
issues.apache.org/jira/browse/FLUME-3437
lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz
lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78
nvd.nist.gov/vuln/detail/CVE-2022-42468

Code Behaviors & Features

Detect and mitigate CVE-2022-42468 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →