org.apache.activemq:activemq-broker@5.15.12

  • latest version

    6.2.7

  • latest non vulnerable version

  • first published

    13 years ago

  • latest version published

    10 days ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.apache.activemq:activemq-broker package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    External Control of System or Configuration Setting

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to External Control of System or Configuration Setting in the LdapNetworkConnector process. An attacker can instantiate unauthorized transports and trigger the creation of an additional broker service within the same JVM by publishing or modifying LDAP entries that match the configured searchBase and searchFilter.

    How to fix External Control of System or Configuration Setting?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.8, 6.2.7 or higher.

    [,5.19.8)[6.0.0,6.2.7)
    • H
    Memory Allocation with Excessive Size Value

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the unmarshalling process of OpenWire message property maps without proper size validation. An attacker can exhaust system memory and cause a broker crash by sending a crafted message with a large encoded size value.

    How to fix Memory Allocation with Excessive Size Value?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.8, 6.2.7 or higher.

    [,5.19.8)[6.0.0,6.2.7)
    • M
    Missing Authorization

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Missing Authorization in the process that manages temporary destinations. An attacker can gain unauthorized access to consume messages from another user's temporary destination by establishing a separate connection and bypassing client-side isolation checks.

    How to fix Missing Authorization?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.8, 6.2.7 or higher.

    [,5.19.8)[6.0.0,6.2.7)
    • M
    Improper Authorization

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Improper Authorization due to incomplete authorization checks in the destination removal process. An attacker can remove existing destinations without sufficient permissions by leveraging an authenticated connection.

    How to fix Improper Authorization?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.7, 6.2.6 or higher.

    [,5.19.7)[6.0.0,6.2.6)
    • H
    Improper Input Validation

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Improper Input Validation over the /api/jolokia MBeans interface. A user can execute arbitrary code on the broker's JVM by invoking operations with a malicious discovery URI that feeds into the VM transport's brokerConfig parameter that causes the loading of a remote Spring XML application context using ResourceXmlApplicationContext. This allows for the instantiation of malicious beans through factory methods such as Runtime.exec().

    Note:

    This is a bypass of the fix for CVE-2026-34197

    How to fix Improper Input Validation?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.7, 6.2.6 or higher.

    [,5.19.7)[6.0.0,6.2.6)
    • H
    Improper Input Validation

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Improper Input Validation through the addNetworkConnector function exposed via the Jolokia JMX-HTTP bridge. An attacker can achieve arbitrary code execution by invoking MBean operations with a crafted discovery URI that leverages the VM transport's brokerConfig parameter, resulting in the loading of a malicious Spring XML application context. This leads to the instantiation of attacker-controlled beans before configuration validation, allowing execution of arbitrary commands on the broker's JVM.

    How to fix Improper Input Validation?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.7, 6.2.6 or higher.

    [,5.19.7)[6.0.0,6.2.6)
    • H
    Exposure of Sensitive Information Through Metadata

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata in the BrokerInfo component. An attacker can obtain sensitive metadata, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a crafted BrokerInfo command to the broker.

    Note:

    This is only exploitable if the broker is configured with a network connector and the syncDurableSubs setting is enabled.

    How to fix Exposure of Sensitive Information Through Metadata?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.7, 6.2.6 or higher.

    [,5.19.7)[6.0.0,6.2.6)
    • H
    Arbitrary Code Injection

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Arbitrary Code Injection in the DestinationView MBean exposed by Jolokia. An attacker can achieve arbitrary code execution by crafting a malicious broker name that bypasses validation, embedding an xbean binding that is later used by a VM transport to load a remote Spring XML application. This allows the attacker to trigger the loading of a malicious Spring XML context file, resulting in the instantiation of arbitrary beans and execution of code on the broker's JVM through methods such as Runtime.exec().

    How to fix Arbitrary Code Injection?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.6, 6.2.5 or higher.

    [,5.19.6)[6.0.0,6.2.5)
    • H
    Arbitrary Code Injection

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Arbitrary Code Injection over the /api/jolokia MBeans interface. A user can execute arbitrary code on the broker's JVM by invoking operations with a malicious discovery URI that feeds into the VM transport's brokerConfig parameter that causes the loading of a remote Spring XML application context using ResourceXmlApplicationContext. This allows for the instantiation of malicious beans through factory methods such as Runtime.exec().

    Note:

    This is a bypass of the fix for CVE-2026-34197.

    How to fix Arbitrary Code Injection?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.6, 6.2.5 or higher.

    [,5.19.6)[6.0.0,6.2.5)
    • H
    Arbitrary Code Injection

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Arbitrary Code Injection over the /api/jolokia MBeans interface. A user can execute arbitrary code on the broker's JVM by invoking operations with a malicious discovery URI that feeds into the VM transport's brokerConfig parameter that causes the loading of a remote Spring XML application context using ResourceXmlApplicationContext. This allows for the instantiation of malicious beans through factory methods such as Runtime.exec().

    How to fix Arbitrary Code Injection?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.4, 6.2.3 or higher.

    [,5.19.4)[6.0.0,6.2.3)
    • H
    Allocation of Resources Without Limits or Throttling

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in NIO SSL transport processing. An attacker can cause the broker to exhaust all available memory and disrupt service availability by rapidly triggering TLS 1.3 handshake KeyUpdates from a client connection.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.5, 6.2.4 or higher.

    [,5.19.5)[6.0.0,6.2.4)
    • M
    Directory Traversal

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Directory Traversal via improper validation of classpath path names in the key parameter during the creation of a Stomp consumer and while browsing messages in the Web console. An attacker can access unauthorized classpath resources by supplying crafted input that causes path traversal.

    Note:

    Due to a path separator resolution bug, Windows users are recommended to upgrade to versions 5.19.4 and 6.2.3.

    How to fix Directory Traversal?

    Upgrade org.apache.activemq:activemq-broker to version 5.19.3, 6.2.2 or higher.

    [,5.19.3)[6.0.0,6.2.2)
    • H
    Arbitrary Code Execution

    org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation.

    Affected versions of this package are vulnerable to Arbitrary Code Execution. A regression has been introduced in Apache ActiveMQ while preventing JMX re-bind (CVE-2020-13920). By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

    A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.

    How to fix Arbitrary Code Execution?

    Upgrade org.apache.activemq:activemq-broker to version 5.15.13 or higher.

    [5.15.12,5.15.13)