The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
Path to dependency file: /nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/pom.xml
Path to vulnerable library: /812183939_HVCZJO/downloadResource_PPNSGT/20210812184316/flume-jms-source-1.6.0.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
Path to dependency file: /nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/pom.xml
Path to vulnerable library: /812183939_HVCZJO/downloadResource_PPNSGT/20210812184316/flume-jms-source-1.6.0.jar
Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-34916
### Vulnerable Library - flume-jms-source-1.6.0.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
Path to dependency file: /nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/pom.xml
Path to vulnerable library: /812183939_HVCZJO/downloadResource_PPNSGT/20210812184316/flume-jms-source-1.6.0.jar
Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25167
### Vulnerable Library - flume-jms-source-1.6.0.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
Path to dependency file: /nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/pom.xml
Path to vulnerable library: /812183939_HVCZJO/downloadResource_PPNSGT/20210812184316/flume-jms-source-1.6.0.jar
Apache Flume versions 1.4.0 through 1.9.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Path to dependency file: /nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/pom.xml
Path to vulnerable library: /812183939_HVCZJO/downloadResource_PPNSGT/20210812184316/flume-jms-source-1.6.0.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-42468
### Vulnerable Library - flume-jms-source-1.6.0.jarThe Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Path to dependency file: /nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/pom.xml
Path to vulnerable library: /812183939_HVCZJO/downloadResource_PPNSGT/20210812184316/flume-jms-source-1.6.0.jar
Dependency Hierarchy: - :x: **flume-jms-source-1.6.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
Publish Date: 2022-10-26
URL: CVE-2022-42468
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz
Release Date: 2022-10-26
Fix Resolution: 1.11.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-34916
### Vulnerable Library - flume-jms-source-1.6.0.jarThe Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Path to dependency file: /nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/pom.xml
Path to vulnerable library: /812183939_HVCZJO/downloadResource_PPNSGT/20210812184316/flume-jms-source-1.6.0.jar
Dependency Hierarchy: - :x: **flume-jms-source-1.6.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
Publish Date: 2022-08-21
URL: CVE-2022-34916
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916
Release Date: 2022-08-21
Fix Resolution: 1.10.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25167
### Vulnerable Library - flume-jms-source-1.6.0.jarThe Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Path to dependency file: /nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/pom.xml
Path to vulnerable library: /812183939_HVCZJO/downloadResource_PPNSGT/20210812184316/flume-jms-source-1.6.0.jar
Dependency Hierarchy: - :x: **flume-jms-source-1.6.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Flume versions 1.4.0 through 1.9.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
Publish Date: 2022-06-14
URL: CVE-2022-25167
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://issues.apache.org/jira/browse/FLUME-3416
Release Date: 2022-06-14
Fix Resolution: 1.10.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.