CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-41678 – Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE
https://notcve.org/view.php?id=CVE-2022-41678
28 Nov 2023 — Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RC... • https://github.com/mbadanoiu/CVE-2022-41678 • CWE-287: Improper Authentication CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 97%CPEs: 12EXPL: 29CVE-2023-46604 – Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2023-46604
27 Oct 2023 — The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this is... • https://packetstorm.news/files/id/175676 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 1%CPEs: 4EXPL: 0CVE-2020-13947
https://notcve.org/view.php?id=CVE-2020-13947
08 Feb 2021 — An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0. Se identificó una instancia de una vulnerabilidad de tipo cross-site scripting en la consola de administración basada en web en la página message.jsp de Apache ActiveMQ versiones 5.15.12 hasta 5.16.0 • http://activemq.apache.org/security-advisories.data/CVE-2020-13947-announcement.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2020-13920 – activemq: improper authentication allows MITM attack
https://notcve.org/view.php?id=CVE-2020-13920
10 Sep 2020 — Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. Apache ActiveMQ usa la función Locat... • http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 0CVE-2020-1941
https://notcve.org/view.php?id=CVE-2020-1941
14 May 2020 — In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. En Apache ActiveMQ versiones 5.0.0 hasta 5.15.11, la Interfaz de Usuario Gráfica de administración webconsole está abierta a un ataque de tipo XSS, en la vista que enumera el contenido de una cola. • http://activemq.apache.org/security-advisories.data/CVE-2020-1941-announcement.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 5EXPL: 0CVE-2015-7559 – ActiveMQ: DoS in client via shutdown command
https://notcve.org/view.php?id=CVE-2015-7559
01 Aug 2019 — It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client. Se encontró que el cliente ActiveMQ de Apache anterior a versión 5.15.5, expuso un comando de apagado remoto en clase ActiveMQConnection. Un atacante que inicio sesión en un broker comprometido podría utilizar este fallo para lograr una denegación de servicio en un cli... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7559 • CWE-20: Improper Input Validation CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2019-0222 – activemq: Corrupt MQTT frame can cause broker shutdown
https://notcve.org/view.php?id=CVE-2019-0222
28 Mar 2019 — In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. En Apache ActiveMQ, desde la versión 5.0.0 hasta la 5.15.8, la deserialización de una trama MQTT corrupta puede conducir a una excepción de bróker fuera de memoria, haciendo que no responda. AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protoc... • http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt •
CVSS: 6.1EPSS: 36%CPEs: 1EXPL: 0CVE-2018-8006
https://notcve.org/view.php?id=CVE-2018-8006
10 Oct 2018 — An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter. Se ha identificado una instancia de una vulnerabilidad Cross-Site Scripting (XSS) en la consola de administración web en la página queue.jsp de Apache ActiveMQ de la version 5.0.0 a la 5.15.5. La causa raíz de este problema es el filtrado... • http://activemq.apache.org/security-advisories.data/CVE-2018-8006-announcement.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 7EXPL: 0CVE-2018-11775 – activemq: ActiveMQ Client Missing TLS Hostname Verification
https://notcve.org/view.php?id=CVE-2018-11775
10 Sep 2018 — TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. Falta la verificación de nombres de host TLS al emplear Apache ActiveMQ Client en versiones anteriores a la 5.15.6, lo que podría hacer que el cliente sea vulnerable a un ataque Man-in-the-Middle (MitM) entre una aplicación Java que emplea el cliente Activ... • http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt • CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6810
https://notcve.org/view.php?id=CVE-2016-6810
10 Jan 2018 — In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation. En Apache ActiveMQ en versiones 5.x anteriores a la 5.14.2, se ha identificado una instancia de una vulnerabilidad Cross-Site Scripting (XSS) que está presente en la consola de administración web. La causa del problema es la validación incorrecta de los datos de salida del usuario. • http://activemq.apache.org/security-advisories.data/CVE-2016-6810-announcement.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •