CVE-2023-46604

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Vendor/Product: Apache ActiveMQ. Added to CISA KEV 2023-11-02; required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.