13 results (0.017 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. • https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl https://security.netapp.com/advisory/ntap-20240216-0004 https://www.openwall.com/lists/oss-security/2023/11/28/1 https://access.redhat.com/security/cve/CVE-2022-41678 https://bugzilla.redhat.com/show_bug.cgi?id=2252185 • CWE-287: Improper Authentication CWE-502: Deserialization of Untrusted Data •

CVSS: 10.0EPSS: 97%CPEs: 12EXPL: 15

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. Apache ActiveMQ es vulnerable a la ejecución remota de código. La vulnerabilidad puede permitir que un atacante remoto con acceso a la red de un corredor ejecute comandos de shell arbitrarios manipulando tipos de clases serializadas en el protocolo OpenWire para hacer que el corredor cree una instancia de cualquier clase en el classpath. Se recomienda a los usuarios actualizar a la versión 5.15.16, 5.16.7, 5.17.6 o 5.18.3, que soluciona este problema. • https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ https://github.com/sule01u/CVE-2023-46604 https://github.com/mrpentst/CVE-2023-46604 https://github.com/ST3G4N05/ExploitScript-CVE-2023-46604 https://github.com/evkl1d/CVE-2023-46604 https://github.com/duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell https://github.com/justdoit-cai/CVE-2023-46604-Apache-ActiveMQ-RCE-exp https://github.com/h3x3h0g/ActiveMQ-RCE-CVE-2023-46604-Write-up https://github.com • CWE-502: Deserialization of Untrusted Data •

CVSS: 6.1EPSS: 4%CPEs: 4EXPL: 0

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0. Se identificó una instancia de una vulnerabilidad de tipo cross-site scripting en la consola de administración basada en web en la página message.jsp de Apache ActiveMQ versiones 5.15.12 hasta 5.16.0 • http://activemq.apache.org/security-advisories.data/CVE-2020-13947-announcement.txt https://lists.apache.org/thread.html/r021c490028f61c8b6f7e38efb98e61693b0cbb6b99b02238c6fc7d66%40%3Ccommits.activemq.apache.org%3E https://lists.apache.org/thread.html/ra66791f1f2b59fa651a81cec5202acdfbf34c2154fc0ff200301cc1c%40%3Cdev.activemq.apache.org%3E https://lists.apache.org/thread.html/ra66791f1f2b59fa651a81cec5202acdfbf34c2154fc0ff200301cc1c%40%3Cusers.activemq.apache.org%3E https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpu • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 0%CPEs: 10EXPL: 0

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password. El módulo de inicio de sesión LDAP de ActiveMQ opcional puede ser configurado para usar el acceso anónimo al servidor LDAP. En este caso, para Apache ActiveMQ Artemis anterior a versión 2.16.0 y Apache ActiveMQ anterior a versiones 5.16.1 y 5.15.14, el contexto anónimo es usado para verificar una contraseña de usuario válida por error, resultando en una comprobación de la contraseña A flaw was found in activemq. When anonymous binds are enabled on the LDAP provider (zero length DN/password) and the LDAP module is configured to make use of these, client credentials are not correctly verified and authentication is effectively bypassed. • https://lists.apache.org/thread.html/r110cacfa754471361234965ffe851a046e302ff2693b055f49f47b02%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r22cdc0fb45e223ac92bc2ceff7af92f1193dfc614c8b248534456229%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r3341d96d8f956e878fb7b463b08d57ca1d58fec9c970aee929b58e0d%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r519bfafd67091d0b91243efcb1c49b1eea27321355ba5594f679277d%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r5899ece90bcae5805ad6142fdb05c58595cff19cb2e98cc58a • CWE-287: Improper Authentication •

CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. Apache ActiveMQ usa la función LocateRegistry.createRegistry() para crear el registro RMI de JMX y vincular el servidor a la entrada "jmxrmi". • http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html https://www.oracle.com/security-alerts/cpuoct2020.html https:/& • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •