CVE-2022-42468

CRITICAL 9.8

Apache Flume prior to 1.11.0 has an Improper Input Validation (JNDI Injection) in JMSSource

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

CWE	CWE-20 CWE-74
Vendor	apache software foundation
Product	apache flume
Published	Oct 26, 2022
Last Updated	May 7, 2025

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache flume

Be the first to know when new critical vulnerabilities affecting apache software foundation apache flume are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Flume

Flume JMSSource < 1.11.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

issues.apache.org: https://issues.apache.org/jira/browse/FLUME-3437 lists.apache.org: https://lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78 lists.apache.org: https://lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz