Basel Khaled

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ Broker versions prior to 5.19.7 Apache ActiveMQ Broker versions 6.0.0 through 6.2.5 Apache ActiveMQ versions prior to 5.19.7 Apache ActiveMQ versions 6.0.0 through 6.2.5 Apache ActiveMQ All versions prior to 5.19.7 Apache ActiveMQ All versions 6.0.0 through 6.2.5 **Description** An exposure of sensitive information through metadata occurs when brokers are configured with a network connector where `syncDurableSubs` is set to true. An unauthenticated attacker can retrieve a list of all durable topic subscriptions in the broker by sending a BrokerInfo command. The broker fails to ensure the connection is authenticated before responding, potentially leaking client identifiers, subscription names, topic destinations, and JMS selector expressions. **Recommendations** Upgrade to version 5.19.7 Upgrade to version 6.2.6