Apache Flume versions 1.4.0 up to and including 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache flume |