vulnerability
Red Hat JBoss EAP: CVE-2016-4978: Deserialization of Untrusted Data
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:S/C:P/I:P/A:P) | Sep 23, 2016 | Sep 19, 2024 | Jul 2, 2025 |
Severity
6
CVSS
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Published
Sep 23, 2016
Added
Sep 19, 2024
Modified
Jul 2, 2025
Description
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.. It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.
Solution
red-hat-jboss-eap-upgrade-latest
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.