The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
History

Wed, 14 Aug 2024 01:00:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-10-27T14:59:31.046Z

Updated: 2024-08-02T20:45:42.299Z

Reserved: 2023-10-24T08:55:31.050Z

Link: CVE-2023-46604

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-10-27T15:15:14.017

Modified: 2024-11-21T08:28:52.810

Link: CVE-2023-46604

cve-icon Redhat

Severity : Critical

Publid Date: 2023-10-27T00:00:00Z

Links: CVE-2023-46604 - Bugzilla