Lucene search
K

Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control

🗓️ 09 Jul 2026 03:01:09Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 14 Views

ActiveMQ 6.x before 6.1.2 has unauthenticated API access via Jetty web context.

Related
Refs
Code
id: CVE-2024-32114

info:
  name: Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control
  author: ChrisJr404
  severity: high
  description: |
    Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication.
  impact: |
    Unauthenticated users can interact with the broker, potentially producing, consuming, or deleting messages and accessing sensitive management APIs.
  remediation: |
    Upgrade to Apache ActiveMQ 6.1.2 or later, or update `conf/jetty.xml` to require authentication on the `/api/` web context.
  reference:
    - https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt
    - https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2024-32114
    - https://github.com/advisories/GHSA-gj5m-m88j-v7c3
    - https://nvd.nist.gov/vuln/detail/CVE-2024-32114
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2024-32114
    cwe-id: CWE-1188
    epss-score: 0.0692
    epss-percentile: 0.93331
  metadata:
    verified: true
    max-request: 2
    vendor: apache
    product: activemq
    shodan-query: http.title:"ActiveMQ"
    fofa-query: title="ActiveMQ"
  tags: cve,cve2024,activemq,apache,jolokia,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/jolokia/search/org.apache.activemq:type=Broker,*"

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "request\":{", "type=Broker", "mbean\":", "org.apache.activemq")'
          - 'contains(content_type, "text/plain")'
          - 'status_code == 200'
        condition: and
# digest: 490a00463044022079e42479496bff0912fb279c900df58cfbee7462dc7010da950fab54ae48202402202494676c082d05949f3ff311f2cf9431a346a4945af2bdfa2dcf249bbe0f711f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 May 2026 17:06Current
7.3High risk
Vulners AI Score7.3
CVSS 3.18.5 - 8.8
EPSS0.0692
SSVC
14