Description
Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
Remediation
References
https://issues.apache.org/jira/browse/FLUME-3437
https://lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz
https://lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78
Related Vulnerabilities
CVE-2021-21349 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2019-1003041 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2022-1438 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2023-30529 Vulnerability in maven package org.jenkins-ci.plugins:lucene-search