{"api_version":"1","generated_at":"2026-04-22T17:46:56+00:00","cve":"CVE-2023-46604","urls":{"html":"https://cve.report/CVE-2023-46604","api":"https://cve.report/api/cve/CVE-2023-46604.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-46604","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-46604"},"summary":{"title":"Apache ActiveMQ Deserialization of Untrusted Data Vulnerability","description":"Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. \n\nUsers are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2023-10-27 15:15:00","updated_at":"2023-11-20 22:15:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2023/10/27/5","name":"http://www.openwall.com/lists/oss-security/2023/10/27/5","refsource":"MISC","tags":[],"title":"oss-security - CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire\n Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a\n remote code execution (RCE) attack","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.openwall.com/lists/oss-security/2023/10/27/5","name":"https://www.openwall.com/lists/oss-security/2023/10/27/5","refsource":"","tags":[],"title":"oss-security - CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire\n Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a\n remote code execution (RCE) attack","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20231110-0010/","name":"https://security.netapp.com/advisory/ntap-20231110-0010/","refsource":"","tags":[],"title":"CVE-2023-46604 Apache ActiveMQ Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt","name":"https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt","refsource":"MISC","tags":[],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html","name":"https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html","refsource":"","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-46604","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46604","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"46604","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"activemq","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"46604","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"activemq_legacy_openwire_module","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2023","cve_id":"46604","cve":"CVE-2023-46604","vendorProject":"Apache","product":"ActiveMQ","vulnerabilityName":"Apache ActiveMQ Deserialization of Untrusted Data Vulnerability","dateAdded":"2023-11-02","shortDescription":"Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.","requiredAction":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","dueDate":"2023-11-23","knownRansomwareCampaignUse":"Known","notes":"https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt; https://nvd.nist.gov/vuln/detail/CVE-2023-46604","cwes":"CWE-502","catalogVersion":"2026.04.21","updated_at":"2026-04-21 13:32:18"},"epss":{"cve_year":"2023","cve_id":"46604","cve":"CVE-2023-46604","epss":"0.944360000","percentile":"0.999870000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:42"},"legacy_qids":[{"cve":"CVE-2023-46604","qid":"150757","title":"Apache ActiveMQ Remote Code Execution (RCE) Vulnerability (CVE-2023-46604)"},{"cve":"CVE-2023-46604","qid":"379060","title":"Apache ActiveMQ Remote Code Execution (RCE) Vulnerability"},{"cve":"CVE-2023-46604","qid":"379516","title":"IBM Sterling Secure Proxy Multiple Vulnerabilities (7142038)"},{"cve":"CVE-2023-46604","qid":"6000335","title":"Debian Security Update for activemq (DLA 3657-1)"},{"cve":"CVE-2023-46604","qid":"730963","title":"Apache ActiveMQ Remote Code Execution (RCE) Vulnerability (CVE-2023-46604)"},{"cve":"CVE-2023-46604","qid":"731042","title":"Atlassian Bamboo Server and Data Center Remote Code Execution (RCE) Vulnerability (CVE-2023-46604)"},{"cve":"CVE-2023-46604","qid":"995775","title":"Java (Maven) Security Update for org.apache.activemq:activemq-client (GHSA-crg9-44h2-xw35)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-46604","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. \n\nUsers are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-502 Deserialization of Untrusted Data","cweId":"CWE-502"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache ActiveMQ","version":{"version_data":[{"version_affected":"<","version_name":"5.18.0","version_value":"5.18.3"},{"version_affected":"<","version_name":"5.17.0","version_value":"5.17.6"},{"version_affected":"<","version_name":"5.16.0","version_value":"5.16.7"},{"version_affected":"<","version_name":"0","version_value":"5.15.16"}]}},{"product_name":"Apache ActiveMQ Legacy OpenWire Module","version":{"version_data":[{"version_affected":"<","version_name":"5.18.0","version_value":"5.18.3"},{"version_affected":"<","version_name":"5.17.0","version_value":"5.17.6"},{"version_affected":"<","version_name":"5.16.0","version_value":"5.16.7"},{"version_affected":"<","version_name":"5.8.0","version_value":"5.15.16"}]}}]}}]}},"references":{"reference_data":[{"url":"https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt","refsource":"MISC","name":"https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/27/5","refsource":"MISC","name":"http://www.openwall.com/lists/oss-security/2023/10/27/5"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"defect":["AMQ-9370"],"discovery":"EXTERNAL"},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H","version":"3.1"}]}},"nvd":{"publishedDate":"2023-10-27 15:15:00","lastModifiedDate":"2023-11-20 22:15:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.16","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18.0","versionEndExcluding":"5.18.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17.0","versionEndExcluding":"5.17.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16.0","versionEndExcluding":"5.16.7","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.16","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18.0","versionEndExcluding":"5.18.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17.0","versionEndExcluding":"5.17.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16.0","versionEndExcluding":"5.16.7","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}