High severity7.5NVD Advisory· Published Jul 13, 2016· Updated Jun 17, 2026
CVE-2016-4974
CVE-2016-4974
Description
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.qpid:qpid-jms-clientMaven | < 0.10.0 | 0.10.0 |
Affected products
3cpe:2.3:a:apache:amqp_0-x_jms_client:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apache:amqp_0-x_jms_client:*:*:*:*:*:*:*:*range: <=6.0.3
- cpe:2.3:a:apache:jms_client_amqp:*:*:*:*:*:*:*:*range: <=0.9.0
Patches
Vulnerability mechanics
References
9- packetstormsecurity.com/files/137749/Apache-Qpid-Untrusted-Input-Deserialization.htmlnvdThird Party AdvisoryVDB EntryWEB
- qpid.apache.org/components/jms/security-0-x.htmlnvdVendor AdvisoryWEB
- qpid.apache.org/components/jms/security.htmlnvdVendor AdvisoryWEB
- www.securityfocus.com/bid/91537nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1036239nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-f38p-mq64-h784ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4974ghsaADVISORY
- issues.apache.org/jira/browse/QPIDJMS-188nvdIssue TrackingWEB
- www.securityfocus.com/archive/1/538813/100/0/threadednvd
News mentions
0No linked articles in our index yet.