Unsafe Deserialization Vulnerability in JMS Client for RabbitMQ
CVE-2020-36282

9.8CRITICAL

Key Information:

Vendor

RabbitMQ

Status
Jms Client
Vendor
CVE Published:
12 March 2021

What is CVE-2020-36282?

The JMS Client for RabbitMQ versions 1.x prior to 1.15.2 and 2.x prior to 2.2.0 contain a vulnerability that exposes the system to potential code execution. This arises from unsafe deserialization occurring through crafted StreamMessage data, which can allow attackers to inject malicious code into the application. It is imperative to update to the latest versions to mitigate the risk associated with this vulnerability.

References

https://medium.com/%40ramon93i7/a99645d0448b
x_refsource_MISC
https://github.com/rabbitmq/rabbitmq-jms-client/issues/135
x_refsource_MISC
https://github.com/rabbitmq/rabbitmq-jms-client/releases/...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.