PT-2016-3677 · Apache · Apache Activemq

Alvaro Muñoz

Published

2015-10-16

Updated

2026-06-09

CVE-2015-5254

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.13.0

Description The Java Message Service (JMS) in the broker fails to restrict the classes that can be serialized, leading to unsafe deserialization. This lack of input validation allows a remote attacker to execute arbitrary code by sending a specially crafted serialized ObjectMessage object.

Recommendations Update to version 5.13.0 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2026-05661

CVE-2015-5254

DSA-3524-1

GHSA-Q9HR-3PG4-3JP4

RHSA-2016:0489

Affected Products

Apache Activemq

PT-2016-3677 · Apache · Apache Activemq

CVE-2015-5254

Weakness Enumeration

Related Identifiers

Affected Products

References · 39