Vulnerability DatabaseCVE-2022-42468

CVE-2022-42468:
Java vulnerability analysis and mitigation

Overview

Apache Flume versions 1.4.0 through 1.10.1 were identified with a remote code execution (RCE) vulnerability, tracked as CVE-2022-42468. The vulnerability was discovered by security researcher nbxiglk and publicly disclosed on October 26, 2022. The issue affects configurations using a JMS Source with an unsafe providerURL parameter (NVD, Security Online).

Technical details

The vulnerability stems from the JMSSource class implementation where a JNDI lookup is performed on the providerUrl parameter without proper validation. This could lead to the deserialization of untrusted data when using JMS Source with an unsafe providerURL. The issue has been assigned a medium severity rating (Security Online).

Impact

When exploited, this vulnerability could allow attackers to execute arbitrary code on the affected system. Apache Flume, being a distributed service for collecting, aggregating, and moving large amounts of log data, could potentially expose critical systems to unauthorized code execution (Security Online).

Mitigation and workarounds

The vulnerability has been fixed in Apache Flume version 1.11.0. The fix implements restrictions that only allow the use of the java protocol or no protocol in JNDI. Users are recommended to upgrade to version 1.11.0 as soon as possible. Alternatively, users can disable JMSSource as a temporary workaround (Security Online, Apache Mail).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

9.8

Score

Published October 26, 2022

Severity CRITICAL

CNA Score 9.8

Affected Technologies

Java
Homebrew

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 82.7

Exploitation Probability (EPSS) 1.9

Affected packages and libraries

org.apache.flume.flume-ng-sources:flume-jms-source
org.apache.flume:flume-parent

Sources

NVD
GitHub Advisory Database
- Maven Severity CRITICALHas FixAdded at: Oct 28, 2022
Homebrew
- Homebrew Severity CRITICALNo FixAdded at: Feb 12, 2024

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-26866	HIGH	8.8	Java	org.apache.hugegraph:hg-pd-core	No	Yes	Dec 12, 2025
CVE-2025-66474	HIGH	8.7	Java	org.xwiki.rendering:xwiki-rendering-xml	No	Yes	Dec 10, 2025
CVE-2025-66473	HIGH	8.7	Java	org.xwiki.platform:xwiki-platform-rest-server	No	Yes	Dec 10, 2025
CVE-2025-67505	HIGH	8.4	Java	com.okta.sdk:okta-sdk-root	No	Yes	Dec 10, 2025
CVE-2025-14518	MEDIUM	5.3	Java	tech.powerjob:powerjob-common	No	No	Dec 11, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2022-42468: Java vulnerability analysis and mitigation