Martin Zeissig

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ versions 6.x prior to 6.1.2 **Description** The default configuration does not secure the API web context, leading to insecure resource initialization due to a lack of authentication. This allows remote attackers to use the Jolokia JMX REST API to interact with the broker, or the Message REST API to produce, consume, purge, or delete messages and destinations. This may result in unauthorized read, modification, or deletion of information. **Recommendations** Upgrade to version 6.1.2. As a temporary mitigation, update the `conf/jetty.xml` configuration file to add an authentication requirement by including the `securityConstraintMapping` bean with the `pathSpec` variable set to `/`.