Hi Colm It's on the broker side, not on the client side. However, the change is also on client side as it's on the openwire marshalling (shared between the client and the broker).
Regards JB On Mon, Nov 6, 2023 at 3:28 PM Colm O hEigeartaigh <cohei...@apache.org> wrote: > > Hi, > > Security vendors (e.g. > https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-6039483) are > flagging CVE-2023-46604 against activemq-client (I guess by looking at > the changes to activemq-client > https://github.com/apache/activemq/commit/9905e2a5bf9862a049f94ce0a2465b0c7ad52436). > However the explanation on > https://activemq.apache.org/news/cve-2023-46604 only mentions that the > broker as being vulnerable " The vulnerability may allow a remote > attacker with network access to a broker to run arbitrary shell > commands "... > > Is a client of ActiveMQ vulnerable to this CVE if for example it > parses a malicious message from the broker? Or is it indeed only the > broker who is vulnerable? > > Thanks, > > Colm.
