Hi, Security vendors (e.g. https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are flagging CVE-2023-46604 against activemq-client (I guess by looking at the changes to activemq-client https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436). However the explanation on https://activemq.apache.org/news/cve-2023-46604 only mentions that the broker as being vulnerable " The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands "...
Is a client of ActiveMQ vulnerable to this CVE if for example it parses a malicious message from the broker? Or is it indeed only the broker who is vulnerable? Thanks, Colm.