CVE-2024-32114

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 6.1.2

Description The default configuration does not secure the API web context, which houses the Jolokia JMX REST API and the Message REST API. This allows unauthorized users to access these layers without authentication. Consequently, an attacker can interact with the broker via the Jolokia JMX REST API or use the Message REST API to produce, consume, purge, or delete messages and destinations. Real-world exploitation of this issue has been detected.

Recommendations Upgrade to version 6.1.2. As a temporary workaround, update the conf/jetty.xml configuration file to add authentication requirements by configuring the securityConstraintMapping bean with the pathSpec variable set to '/'.