PT-2024-3291 · Apache · Apache Activemq

Martin Zeissig

·

Published

2024-04-11

·

Updated

2026-06-10

·

CVE-2024-32114

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions 6.x prior to 6.1.2
Description The default configuration does not secure the API web context, leading to insecure resource initialization due to a lack of authentication. This allows remote attackers to use the Jolokia JMX REST API to interact with the broker, or the Message REST API to produce, consume, purge, or delete messages and destinations. This may result in unauthorized read, modification, or deletion of information.
Recommendations Upgrade to version 6.1.2. As a temporary mitigation, update the conf/jetty.xml configuration file to add an authentication requirement by including the securityConstraintMapping bean with the pathSpec variable set to /.

Exploit

Fix

DoS

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2024-03523
BIT-ACTIVEMQ-2024-32114
CVE-2024-32114
GHSA-GJ5M-M88J-V7C3

Affected Products

Apache Activemq