High severity7.5NVD Advisory· Published Jul 13, 2016· Updated May 6, 2026
CVE-2016-4974
CVE-2016-4974
Description
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.qpid:qpid-jms-clientMaven | < 0.10.0 | 0.10.0 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- packetstormsecurity.com/files/137749/Apache-Qpid-Untrusted-Input-Deserialization.htmlnvdThird Party AdvisoryVDB EntryWEB
- qpid.apache.org/components/jms/security-0-x.htmlnvdVendor AdvisoryWEB
- qpid.apache.org/components/jms/security.htmlnvdVendor AdvisoryWEB
- www.securityfocus.com/bid/91537nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1036239nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-f38p-mq64-h784ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4974ghsaADVISORY
- issues.apache.org/jira/browse/QPIDJMS-188nvdIssue TrackingWEB
- www.securityfocus.com/archive/1/538813/100/0/threadednvd
News mentions
0No linked articles in our index yet.