Cyber Resilience

CVE-2022-42468

Critical

Published: 26 October 2022

Published
26 October 2022
Modified
07 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0640 91.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-42468 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Flume. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to remote code execution when a JMS Source is configured with an unsafe providerURL that permits arbitrary JNDI lookups. The flaw is tracked under CWE-20 and CWE-74 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can supply a malicious providerURL to the JMS Source, causing the Flume agent to perform a JNDI lookup that results in arbitrary code execution on the host with full impact to confidentiality, integrity, and availability.

The Apache Flume project resolved the issue by limiting JNDI lookups to the java protocol or no protocol at all, as documented in FLUME-3437 and the associated announcements on the Apache mailing lists. Users are advised to upgrade to a patched release or apply equivalent configuration restrictions.

The EPSS score has remained flat at 0.0640 with no material increase after disclosure.

EU & UK References

Vulnerability details

Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the…

more

java protocol or no protocol.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
flume
1.4.0 — 1.10.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-74

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References