PT-2024-3291 · Apache · Apache Activemq
Martin Zeissig
·
Published
2024-04-11
·
Updated
2026-06-10
·
CVE-2024-32114
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache ActiveMQ versions 6.x prior to 6.1.2
Description
The default configuration does not secure the API web context, leading to insecure resource initialization due to a lack of authentication. This allows remote attackers to use the Jolokia JMX REST API to interact with the broker, or the Message REST API to produce, consume, purge, or delete messages and destinations. This may result in unauthorized read, modification, or deletion of information.
Recommendations
Upgrade to version 6.1.2.
As a temporary mitigation, update the
conf/jetty.xml configuration file to add an authentication requirement by including the securityConstraintMapping bean with the pathSpec variable set to /.Exploit
Fix
DoS
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Activemq