CVE-2022-34916

CVE-2022-34916: Improper Input Validation (JNDI Injection) in JMSMessageConsumer

Vendor Apache Software Foundation

Product Apache Flume

Weakness CWE-20 · Input validation

Published August 21, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

Key dates

02Disclosure timeline

August 21, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-34916 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2022-34916: Improper Input Validation (JNDI Injection) in JMSMessageConsumer

01Description

02Disclosure timeline

03References

04Related CVE