Apache Flume is vulnerable to remote code execution. The vulnerability exists due to improper validations of jms source and provider url where the attacker can use the jms source with an unsafe provider url causing arbitrary code executions.
github.com/advisories/GHSA-9w4g-fp9h-3q2v
github.com/apache/flume/commit/9f2807d5519f0ab25025f7a73bd1a8730fabba6f
github.com/apache/flume/commit/eee179a09df405c1ab55ae25a53b76ca1050bb97
issues.apache.org/jira/browse/FLUME-3437
lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz
lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78