Gggggggga

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ Broker versions prior to 5.19.6 Apache ActiveMQ Broker versions 6.0.0 through 6.2.4 Apache ActiveMQ All versions prior to 5.19.6 Apache ActiveMQ All versions 6.0.0 through 6.2.4 Apache ActiveMQ versions prior to 5.19.6 Apache ActiveMQ versions 6.0.0 through 6.2.4 **Description** Improper input validation and improper control of code generation allow an authenticated attacker to achieve remote code execution on the broker's JVM. If the `activemq-http` module is on the classpath, an attacker can use Jolokia to add a connector via `BrokerView.addNetworkConnector()` or `BrokerView.addConnector()` using an HTTP Discovery transport. A malicious HTTP endpoint can return a VM transport through the HTTP URI, bypassing existing validations. The attacker can then utilize the `brokerConfig` parameter of the VM transport to load a remote Spring XML application context via `ResourceXmlApplicationContext`. Since `ResourceXmlApplicationContext` instantiates all singleton beans before the `BrokerService` validates the configuration, arbitrary code can be executed through bean factory methods such as `Runtime.exec()`. **Recommendations** Upgrade Apache ActiveMQ Broker versions prior to 5.19.6 to version 5.19.6. Upgrade Apache ActiveMQ Broker versions 6.0.0 through 6.2.4 to version 6.2.5. Upgrade Apache ActiveMQ All versions prior to 5.19.6 to version 5.19.6. Upgrade Apache ActiveMQ All versions 6.0.0 through 6.2.4 to version 6.2.5. Upgrade Apache ActiveMQ versions prior to 5.19.6 to version 5.19.6. Upgrade Apache ActiveMQ versions 6.0.0 through 6.2.4 to version 6.2.5.

**Name of the Vulnerable Software and Affected Versions** running-elephant Datart version 1.0.0-rc3 **Description** A critical issue affects the `extractModel` function of the File Upload component, specifically in the `/import` file. The manipulation of the `file` argument leads to deserialization. This issue can be exploited remotely. The exploit has been publicly disclosed, and the vendor was notified but did not respond. **Recommendations** For running-elephant Datart version 1.0.0-rc3, as a temporary workaround, consider disabling the `extractModel` function until a patch is available. Restrict access to the File Upload component to minimize the risk of exploitation. Avoid using the `file` argument in the affected `/import` endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.