63 matches found
CVE-2016-3088
CVE-2016-3088 affects Apache ActiveMQ 5.x prior to 5.14.0. The Fileserver web application vulnerable to remote code execution via an HTTP PUT followed by an HTTP MOVE request allows an attacker to upload and execute arbitrary files on the server. Connected PoC repositories describe Python-based a...
CVE-2025-27533
CVE-2025-27533 in Apache ActiveMQ stems from unchecked buffer length during OpenWire unmarshalling, allowing excessive memory allocation and DoS. Affected versions include 6.0.0–6.1.5, 5.18.0–5.18.6, 5.17.0–5.17.6, 5.16.0–5.16.7; 5.19.0 is not affected. If not using mutual TLS, brokers may be vul...
CVE-2023-46604
CVE-2023-46604 – Apache ActiveMQ OpenWire deserialization RCE has concrete details in connected sources: the Java OpenWire protocol marshaller is vulnerable to remote code execution. A remote attacker with network access to a Java-based OpenWire broker or client can execute arbitrary shell comman...
CVE-2021-21341
CVE-2021-21341 affects the XStream Java library (unmarshalling) prior to 1.4.16. The vulnerability enables a remote attacker to cause a denial-of-service by consuming 100% CPU time via manipulated input streams. Impact is described as CPU denial of service; no user impact if the recommended Secur...
CVE-2021-21342
CVE-2021-21342 affects the Java library XStream (prior to 1.4.16). During unmarshalling, the processed input stream can include type information used to recreate objects, enabling an attacker to inject/replace objects and trigger a server-side forgery. The documented fix is to upgrade to at least...
CVE-2021-21343
CVE-2021-21343 affects XStream (Java) prior to 1.4.16. The vulnerability arises during unmarshalling when the processed input stream carries type information, enabling an attacker to create new instances based on that data and potentially replace or inject objects, including causing local file de...
CVE-2021-21344
Summary: CVE-2021-21344 affects the XStream Java XML serialization library. In versions before 1.4.16, a remote attacker can load and execute arbitrary code by manipulating the processed input stream. The risk is mitigated if the security framework whitelist is properly configured; otherwise the ...
CVE-2021-21351
CVE-2021-21351 is an XStream deserialization vulnerability. Connected IBM advisories confirm the issue affects IBM Data Risk Manager (IDRM) and IBM Engineering/Test Management products via bundled XStream versions, with exploitation through unmarshalling to achieve arbitrary code execution. Remed...
CVE-2020-26217
XStream (Java) vulnerable to remote code execution via insecure XML deserialization. The issue affects versions before 1.4.14 where processing input streams can lead to arbitrary shell execution. The advisory notes that only users relying on a blocklist are affected, while those using the securit...
CVE-2021-21345
CVE-2021-21345 affects the XStream Java library. Per connected sources, vulnerable versions are those before 1.4.16, where an attacker with sufficient rights can remotely execute commands on the host by manipulating the processed input stream. The issue is mitigated by upgrading to 1.4.16 or late...
CVE-2021-21346
XStream (Java XML serialization library) has CVE-2021-21346 among a set of 2021-04x vulnerabilities. The issue affects XStream prior to 1.4.16 where processing input streams can lead to remote code execution or related impacts if exploitation occurs, with mitigations including enabling the Securi...
CVE-2021-21347
CVE-2021-21347 affects XStream Java library (pre-1.4.16). The vulnerability allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream, with high severity when not using a proper security framework. Guidance across sources indicates u...
CVE-2021-21349
XStream (Java) before 1.4.16 is vulnerable to an input-stream manipulation flaw (CVE-2021-21349) that may allow a remote attacker to access data from internal resources not publicly available. The issue arises from processing the input stream during deserialization. A fix is available in XStream ...
CVE-2021-21350
CVE-2021-21350 affects the XStream Java library. Connected sources confirm that before version 1.4.16 XStream allowed remote code execution by manipulating the processed input stream, with guidance to enable a security whitelist and upgrade to at least 1.4.16. Debian security advisories (DSA-5004...
CVE-2013-7285
CVE-2013-7285: XStream API (versions up to 1.4.6 and 1.4.10) may allow remote code execution if the security framework is not initialized during unmarshalling of XML/JSON streams. IBM’s bulletin for IBM Storage Copy Data Management cites this as a vulnerability affecting 2.2.x releases and instru...
CVE-2021-21348
XStream (Java) before version 1.4.16 is vulnerable to a denial of service where a remote attacker can cause a thread to consume maximum CPU time and not return. Public documents consistently describe the issue as affecting XStream’s XML deserialization, with mitigation requiring upgrading to at l...
CVE-2019-0201
CVE-2019-0201 affects Apache ZooKeeper up to versions 3.4.13 and 3.5.4-beta, where getACL() does not enforce permissions and returns the ACL Id in plaintext. When Digest Authentication is in use, the unsalted hash value contained in the Id field can be disclosed to unauthenticated or unprivileged...
CVE-2012-5784
The CVE-2012-5784 issue concerns Apache Axis 1.4 and earlier, where the getCN/subjectAltName validation is missing, allowing MITM with arbitrary valid certificates. The flaw affects Axis-based components (e.g., PayPal-related integrations and JMS in ActiveMQ) and has led to multiple advisories (i...
CVE-2019-0222
CVE-2019-0222 affects Apache ActiveMQ 5.0.0–5.15.8. Description: unmarshalling of a corrupt MQTT frame can cause a broker Out of Memory, rendering the broker unresponsive. Enterprise/Nessus entries in the connected docs classify this as an unpatched/vulnerable issue with no vendor patch available...
CVE-2015-1830
CVE-2015-1830 is a directory traversal flaw in the Fileserver upload/download feature of Apache ActiveMQ 5.x (Windows). An attacker can place a JSP file in an arbitrary directory, potentially causing remote code execution or shell access by leveraging the traversal vulnerability in the fileserver...
CVE-2019-10241
CVE-2019-10241 affects Eclipse Jetty prior to specific release lines: 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older. The vulnerability is an XSS due to improper validation of user-supplied input by DefaultServlet and ResourceHandler when a remote client uses a specially crafted URL to ...
CVE-2015-5254
CVE-2015-5254 is a deserialization vulnerability in Apache ActiveMQ 5.x prior to 5.13.0. The broker does not restrict serialized classes, enabling remote attackers to execute arbitrary code via a crafted JMS ObjectMessage. Several connected advisories confirm the issue and note mitigations: upgra...
CVE-2018-11775
CVE-2018-11775 affects the Apache ActiveMQ Client, where TLS hostname verification was missing prior to version 5.15.6, enabling potential MITM between a Java application and the ActiveMQ server. The issue is stated as now being enabled by default and is addressed by upgrading the ActiveMQ client...
CVE-2021-26117
CVE-2021-26117 describes an LDAP authentication weakness in the optional ActiveMQ LDAP login module where anonymous access can bypass password verification. Connected sources confirm affected lines: Apache ActiveMQ Artemis prior to 2.16.0 and Apache ActiveMQ prior to 5.16.1 and 5.15.14. Debian/Ub...
CVE-2020-13920
CVE-2020-13920 affects Apache ActiveMQ through a JMX RMI registry authentication flaw. An unauthenticated client can bind a proxy to the jmxrmi entry, enabling MITM-style interception of credentials when users connect. Affected guidance: upgrade to a fixed ActiveMQ release (initial advisory cites...
CVE-2022-41678
CVE-2022-41678 : In Apache ActiveMQ, after authentication, an attacker can trigger remote code execution via Jolokia/JMX vectors (e.g., /api/jolokia) leading to arbitrary code with webshell write via Log4j/JFR paths. The root cause is an unsafe deserialization path that can be reached through Jol...
CVE-2024-32114
Apache ActiveMQ 6.x is affected by CVE-2024-32114 due to an insecure default configuration that leaves the API web context (Jolokia JMX REST API and Message REST API) unauthenticated. This allows an attacker to access these layers without credentials and, per the advisory, potentially interact wi...
CVE-2015-7559
CVE-2015-7559: Apache ActiveMQ client before 5.14.5 exposes a remote shutdown command in ActiveMQConnection, enabling a remote authenticated attacker to cause denial of service on a connected client. Affected software is the Apache ActiveMQ client (pre-5.14.5). Remediation: upgrade to 5.14.5 or l...
CVE-2020-1941
CVE-2020-1941 affects Apache ActiveMQ (versions 5.0.0–5.15.11). The connected Nessus entry for this CVE confirms an XSS flaw in the ActiveMQ web console (admin GUI) specifically in the view that lists the contents of a queue. Root cause details are not elaborated beyond the XSS indication in the ...
CVE-2014-3612
CVE-2014-3612 affects Apache ActiveMQ 5.x (JAAS LDAPLoginModule). The vulnerability lets an attacker authenticate with a valid username and an empty password, causing an unauthenticated bind and bypass of authentication. Remediation: upgrade to ActiveMQ 5.10.1 or later (or apply vendor patch) as ...
CVE-2014-3600
CVE-2014-3600 is an XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x prior to 5.10.1. The issue allows remote consumers to trigger an XXE via an XPath-based selector when dequeuing XML messages, potentially exposing sensitive data. Public sources in the connected docs confirm Active...
CVE-2014-3576
CVE-2014-3576 affects Apache ActiveMQ before 5.11.0, where the processControlCommand function in broker/TransportConnection.java allows a remote attacker to shut down the broker via a shutdown command, causing a denial of service. The vulnerability is confirmed in multiple connected sources, incl...
CVE-2020-13947
CVE-2020-13947 affects Apache ActiveMQ’s web-based administration console (message.jsp). An XSS vulnerability arises from insufficient validation of user-supplied input in the console, allowing a remote attacker to execute script in a victim’s browser and potentially steal cookies or credentials....
CVE-2018-8006
CVE-2018-8006 affects Apache ActiveMQ versions 5.0.0–5.15.5, where the web-based administration console on the queue.jsp page is vulnerable to cross-site scripting. The root cause is improper data filtering of the QueueFilter parameter, allowing an attacker to execute script in a victim’s browser...
CVE-2015-6524
CVE-2015-6524 affects Apache ActiveMQ 5.x, where the LDAPLoginModule in JAAS allows wildcard operators in usernames. This enables remote attackers to obtain credentials via brute-forcing usernames. The document set explicitly ties this vulnerability to ActiveMQ 5.x prior to 5.10.1 and notes the i...
CVE-2020-11998
CVE-2020-11998 affects Apache ActiveMQ. A regression in the commit for JMX re-bind allows a remote attacker to cause code execution by crafting an MLet MBean, due to passing an empty environment map to RMIConnectorServer. Mitigation is to upgrade to Apache ActiveMQ 5.15.13. Exploitation status is...
CVE-2013-1879
CVE-2013-1879 is a Cross-site scripting (XSS) vulnerability in scheduled.jsp of Apache ActiveMQ 5.8.0 and earlier, allowing remote attackers to inject arbitrary script via the cron-of-a-message vector. The IBM/PSirt references note the vulnerability details and base score (4.3) with the same vect...
CVE-2011-4905
CVE-2011-4905 : Apache ActiveMQ is vulnerable to denial of service via the failover path. Specifically, ActiveMQ versions before 5.6.0 can exhaust file descriptors and trigger broker crashes or hangs when remote attackers send many openwire failover:tcp:// connection requests. Remediation in the ...
CVE-2017-15709
CVE-2017-15709 affects ActiveMQ when using the OpenWire protocol (versions 5.14.0–5.15.2), where certain system details (e.g., OS/kernel version) are exposed as plaintext, enabling information disclosure. Remediation per connected docs: upgrade to a fixed ActiveMQ release (e.g., 5.15.3+ or the De...
CVE-2012-6092
Summary of CVE-2012-6092: Cross-site scripting in Apache ActiveMQ web demos Affected software: Apache ActiveMQ web demos (demo/portfolioPublish and related webapp/websocket/chat.js) prior to 5.8.0. What is vulnerable: Multiple XSS vulnerabilities via (1) refresh parameter to PortfolioPublishServl...
CVE-2016-0734
CVE-2016-0734 affects Apache ActiveMQ 5.x before 5.13.2. The vulnerability arises because the web-based Admin Console does not send the X-Frame-Options header, enabling clickjacking via a crafted page containing FRAME/IFRAME elements. Connected IBM/industry reports corroborate the CVE and tie rem...
CVE-2016-0782
CVE-2016-0782: Apache ActiveMQ 5.x prior to 5.11.4, 5.12.x prior to 5.12.3, and 5.13.x prior to 5.13.2 is vulnerable to cross-site scripting via the web admin console. The defect is improper validation of user-supplied input in the Admin Web console, enabling remote authenticated users to execute...
CVE-2010-1587
The CVE-2010-1587 issue affects Apache ActiveMQ with the Jetty ResourceHandler. It enables a remote attacker to disclose JSP source code by sending a URI beginning with // that targets (admin/index.jsp, admin/queues.jsp, or admin/topics.jsp). Affected products/versions are ActiveMQ 5.x before 5.3...
CVE-2012-6551
CVE-2012-6551 affects Apache ActiveMQ: the default configuration enables a sample web application, allowing remote attackers to cause broker resource exhaustion (DoS) via HTTP requests. Affected version: ActiveMQ before 5.8.0. Impact is denial of service to the broker; no exploitation details are...
CVE-2014-8110
Apache ActiveMQ (5.x) prior to 5.10.1 is affected by cross-site scripting in the web-based admin console (CVE-2014-8110). Attacks could inject script/HTML via unspecified vectors and, per related IBM advisories, could lead to credential theft via cookies. Remote exploitation is possible if expose...
CVE-2016-6810
CVE-2016-6810 affects Apache ActiveMQ 5.x prior to 5.14.2, where the web-based administration console is vulnerable to cross-site scripting due to improper user data output validation. The issue could allow a remote attacker to execute script in a victim’s browser via the admin console URL. Remed...
CVE-2013-3060
CVE-2013-3060 affects Apache ActiveMQ pre-5.8.0, where the web console did not require authentication. This allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests. Public sources in the provided documents (e.g., ActiveMQ advisories and related Red H...
CVE-2013-1880
CVE-2013-1880 (ActiveMQ) : XSS in the Portfolio publisher servlet of the Apache ActiveMQ demo web app prior to 5.9.0. By supplying a crafted value to the refresh parameter of demo/portfolioPublish, an attacker can inject arbitrary script/HTML. Root cause: improper validation/neutralization of inp...
CVE-2010-0684
Apache ActiveMQ (the server) is affected by CVE-2010-0684 due to an input validation flaw in the createDestination.action handler. The JMSDestination parameter can be exploited to inject arbitrary script/HTML in the admin UI, leading to cross-site scripting. The issue requires an authenticated re...
CVE-2010-1244
Apache ActiveMQ contains a CSRF vulnerability in createDestination.action that affects releases prior to 5.3.1. An attacker could remotely hijack an authenticated user’s session to create queues via the JMSDestination parameter in a queue action. The issue is documented across multiple sources ty...