Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY1MjUtYzNnNS1jZzlw
Unsafe Deserialization that can Result in Code Execution
JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 is vulnerable to unsafe deserialization that can result in code execution via crafted StreamMessage data.
Permalink: https://github.com/advisories/GHSA-v525-c3g5-cg9pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY1MjUtYzNnNS1jZzlw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 4 months ago
Identifiers: GHSA-v525-c3g5-cg9p, CVE-2020-36282
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-36282
- https://github.com/rabbitmq/rabbitmq-jms-client/issues/135
- https://github.com/rabbitmq/rabbitmq-jms-client/pull/136/commits/f647e5dbfe055a2ca8cbb16dd70f9d50d888b638
- https://github.com/rabbitmq/rabbitmq-jms-client/releases/tag/v1.15.2
- https://github.com/rabbitmq/rabbitmq-jms-client/releases/tag/v2.2.0
- https://medium.com/@ramon93i7/a99645d0448b
- https://github.com/advisories/GHSA-v525-c3g5-cg9p
Affected Packages
maven:com.rabbitmq.jms:rabbitmq-jms
Versions: >= 1.0, < 1.15.2, >= 2.0, < 2.2.0Fixed in: 1.15.2, 2.2.0