CVE-2023-46604

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://seclists.org/fulldisclosure/2024/Apr/18", "name": "http://seclists.org/fulldisclosure/2024/Apr/18", "tags": ["Mailing List", "Third Party Advisory"], "refsource": ""}, {"url": "http://seclists.org/fulldisclosure/2024/Apr/18", "name": "http://seclists.org/fulldisclosure/2024/Apr/18", "tags": ["Mailing List", "Third Party Advisory"], "refsource": ""}, {"url": "https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt", "name": "https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt", "name": "https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html", "name": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html", "tags": ["Mailing List"], "refsource": ""}, {"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html", "name": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html", "tags": ["Mailing List"], "refsource": ""}, {"url": "https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html", "name": "https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": ""}, {"url": "https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html", "name": "https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": ""}, {"url": "https://security.netapp.com/advisory/ntap-20231110-0010/", "name": "https://security.netapp.com/advisory/ntap-20231110-0010/", "tags": ["Third Party Advisory"], "refsource": ""}, {"url": "https://security.netapp.com/advisory/ntap-20231110-0010/", "name": "https://security.netapp.com/advisory/ntap-20231110-0010/", "tags": ["Third Party Advisory"], "refsource": ""}, {"url": "https://www.openwall.com/lists/oss-security/2023/10/27/5", "name": "https://www.openwall.com/lists/oss-security/2023/10/27/5", "tags": ["Mailing List"], "refsource": ""}, {"url": "https://www.openwall.com/lists/oss-security/2023/10/27/5", "name": "https://www.openwall.com/lists/oss-security/2023/10/27/5", "tags": ["Mailing List"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Java OpenWire protocol marshaller is vulnerable to Remote Code \nExecution. This vulnerability may allow a remote attacker with network \naccess to either a Java-based OpenWire broker or client to run arbitrary\n shell commands by manipulating serialized class types in the OpenWire \nprotocol to cause either the client or the broker (respectively) to \ninstantiate any class on the classpath.\n\nUsers are recommended to upgrade\n both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 \nwhich fixes this issue."}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-46604", "ASSIGNER": "security@apache.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2023-10-27T15:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.15.16"}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18.0"}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.17.6", "versionStartIncluding": "5.17.0"}, {"cpe23Uri": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.16.7", "versionStartIncluding": "5.16.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.15.16"}, {"cpe23Uri": "cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18.0"}, {"cpe23Uri": "cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.17.6", "versionStartIncluding": "5.17.0"}, {"cpe23Uri": "cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.16.7", "versionStartIncluding": "5.16.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-03-06T19:48Z"}