CVSS: 9.0EPSS: 63%CPEs: 2EXPL: 1CVE-2022-41678 – Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE
https://notcve.org/view.php?id=CVE-2022-41678
28 Nov 2023 — Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RC... • https://github.com/mbadanoiu/CVE-2022-41678 • CWE-287: Improper Authentication CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 94%CPEs: 12EXPL: 30CVE-2023-46604 – Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2023-46604
27 Oct 2023 — The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this is... • https://packetstorm.news/files/id/175676 • CWE-502: Deserialization of Untrusted Data •