CVE-2022-42468

CVE-2022-42468: Apache Flume prior to 1.11.0 has an Improper Input Validation (JNDI Injection) in JMSSource

Vendor Apache Software Foundation

Product Apache Flume

Weakness CWE-20 · Input validation

Published October 26, 2022

Last update May 7, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

Key dates

Disclosure timeline

October 26, 2022 CVE published

May 7, 2025 Record updated