org.apache.activemq:activemq-client 5.9.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.activemq:activemq-client package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Memory Allocation with Excessive Size Value org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value during the unmarshalling of OpenWire commands, where the size value of buffers is not properly validated. An attacker can deplete process memory and cause service disruptions by sending crafted messages. How to fix Memory Allocation with Excessive Size Value? Upgrade `org.apache.activemq:activemq-client` to version 5.16.8, 5.17.7, 5.18.7, 6.1.6 or higher.	[,5.16.8)[5.17.0,5.17.7)[5.18.0,5.18.7)[6.0.0,6.1.6)
C Deserialization of Untrusted Data org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `OpenWire` protocol. An attacker with network access to a broker or client can run arbitrary shell commands by manipulating serialized class types, causing the affected broker or client to instantiate any class on the classpath. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.activemq:activemq-client` to version 5.15.16, 5.16.7, 5.17.6, 5.18.3 or higher.	[,5.15.16)[5.16.0,5.16.7)[5.17.0,5.17.6)[5.18.0,5.18.3)
L Denial of Service (DoS) org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) in the `ActiveMQConnection` class. An attacker could use this flaw to achieve denial of service on a client. How to fix Denial of Service (DoS)? Upgrade `org.apache.activemq:activemq-client` to version 5.14.5 or higher.	[5.0.0,5.14.5)
H Man-in-the-Middle (MitM) org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) due to missing TLS hostname verification. How to fix Man-in-the-Middle (MitM)? Upgrade `org.apache.activemq:activemq-client` to version 5.15.6 or higher.	[5.0.0,5.15.6)
C Arbitrary Code Execution org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Arbitrary Code Execution. Apache ActiveMQ doesn't restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. How to fix Arbitrary Code Execution? Upgrade `org.apache.activemq:activemq-client` to version 5.11.3, 5.12.2 or higher.	[,5.11.3)[5.12.0,5.12.2)
C XML External Entity (XXE) Injection org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. This could allow remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. How to fix XML External Entity (XXE) Injection? Upgrade `org.apache.activemq:activemq-client` to version 5.10.1 or higher.	[5,5.10.1)

Vulnerability

Vulnerable Version

Memory Allocation with Excessive Size Value