This is an automated email from the ASF dual-hosted git repository.

asf-gitbox-commits pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 72ef61a5f Automatic Site Publish by Buildbot
72ef61a5f is described below

commit 72ef61a5f7b201a45a95b5a78997fbc50a5304cd
Author: buildbot <[email protected]>
AuthorDate: Sun May 31 16:14:43 2026 +0000

    Automatic Site Publish by Buildbot
---
 output/components/classic/security.html            |  6 ++++
 .../CVE-2026-42253-announcement.txt                | 31 +++++++++++++++++++
 .../CVE-2026-42588-announcement.txt                | 34 +++++++++++++++++++++
 .../CVE-2026-45505-announcement.txt                | 35 ++++++++++++++++++++++
 .../CVE-2026-46605-announcement.txt                | 27 +++++++++++++++++
 .../CVE-2026-49157-announcement.txt                | 25 ++++++++++++++++
 .../CVE-2026-49270-announcement.txt                | 28 +++++++++++++++++
 7 files changed, 186 insertions(+)

diff --git a/output/components/classic/security.html 
b/output/components/classic/security.html
index b41607bf5..982befbb4 100644
--- a/output/components/classic/security.html
+++ b/output/components/classic/security.html
@@ -97,6 +97,12 @@
 <p>See the main <a href="../../security-advisories">Security Advisories</a> 
page for details for other components and general information such as reporting 
new security issues.</p>
 
 <ul>
+  <li><a 
href="../../security-advisories.data/CVE-2026-49270-announcement.txt">CVE-2026-49270</a>
 - Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)</li>
+  <li><a 
href="../../security-advisories.data/CVE-2026-49157-announcement.txt">CVE-2026-49157</a>
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default</li>
+  <li><a 
href="../../security-advisories.data/CVE-2026-46605-announcement.txt">CVE-2026-46605</a>
 - Incomplete authorization during destination removal</li>
+  <li><a 
href="../../security-advisories.data/CVE-2026-45505-announcement.txt">CVE-2026-45505</a>
 - Jolokia “addNetworkConnector” Discovery Wrapper Bypass</li>
+  <li><a 
href="../../security-advisories.data/CVE-2026-42588-announcement.txt">CVE-2026-42588</a>
 - Remote Code Execution via Jolokia addNetworkConnector</li>
+  <li><a 
href="../../security-advisories.data/CVE-2026-42253-announcement.txt">CVE-2026-42253</a>
 - HTTP Response Header Injection via JMS Message Properties</li>
   <li><a 
href="../../security-advisories.data/CVE-2026-41044-announcement.txt">CVE-2026-41044</a>
 - Authenticated user can perform RCE via DestinationView MBean exposed by 
Jolokia</li>
   <li><a 
href="../../security-advisories.data/CVE-2026-41043-announcement.txt">CVE-2026-41043</a>
 - ActiveMQ Web Console -  XSS vulnerability when browsing queues</li>
   <li><a 
href="../../security-advisories.data/CVE-2026-40466-announcement.txt">CVE-2026-40466</a>
 - Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI</li>
diff --git a/output/security-advisories.data/CVE-2026-42253-announcement.txt 
b/output/security-advisories.data/CVE-2026-42253-announcement.txt
new file mode 100644
index 000000000..5be1d15ee
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-42253-announcement.txt
@@ -0,0 +1,31 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.7
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.6
+
+Description:
+
+Improper Neutralization of Input During Web Page Generation ('Cross-site 
Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
+
+The MessageServlet in the ActiveMQ web console API copies every JMS message
+property into an HTTP response header without any validation. This can allow 
overwriting and injecting security headers by setting them on JMS messages that 
are returned by the servlet.
+
+This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; 
Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the 
issue. The MessageServlet has now been deprecated and disabled by default.
+
+Credit:
+
+Vishal Shukla (finder)
+pyn3rd (finder)
+uname (finder)
+4ra1n (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-42253
diff --git a/output/security-advisories.data/CVE-2026-42588-announcement.txt 
b/output/security-advisories.data/CVE-2026-42588-announcement.txt
new file mode 100644
index 000000000..fb0d8e9d8
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-42588-announcement.txt
@@ -0,0 +1,34 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code 
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, 
Apache ActiveMQ.
+
+Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ 
on the web console. The default Jolokia access policy permits exec operations 
on all ActiveMQ MBeans (org.apache.activemq:*), including
+BrokerService.addNetworkConnector(String).
+
+An authenticated attacker can invoke these operations with a crafted discovery 
URI that triggers the VM transport's brokerConfig parameter using the 
"masterslave:// " URL which can allow loading a Spring XML application context 
using ResourceXmlApplicationContext.
+Because Spring's ResourceXmlApplicationContext instantiates all singleton 
beans before the BrokerService validates the configuration, arbitrary code 
execution occurs on the broker's JVM through bean factory methods such as 
Runtime.exec().
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache 
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the 
issue.
+
+Credit:
+
+pyn3rd (finder)
+uname (finder)
+4ra1n (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-42588
diff --git a/output/security-advisories.data/CVE-2026-45505-announcement.txt 
b/output/security-advisories.data/CVE-2026-45505-announcement.txt
new file mode 100644
index 000000000..d0dd86256
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-45505-announcement.txt
@@ -0,0 +1,35 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code 
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, 
Apache ActiveMQ.
+
+
+Non-parenthesized discovery wrappers such as `masterslave:vm://...,...`
+and `static:vm://...` incorrectly pass validation allowing bypass of fix in 
CVE-2026-34197.
+
+Original description from CVE-2026-34197.
+
+Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the 
web console. The default Jolokia access policy permits exec operations on all 
ActiveMQ MBeans (org.apache.activemq:*), including 
BrokerService.addNetworkConnector(String) and 
BrokerService.addConnector(String). An authenticated attacker can invoke these 
operations with a crafted discovery UR that triggers the VM transport's 
brokerConfig parameter to load a remote Spring XML application context using 
ResourceXmlAp [...]
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache 
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the 
issue.
+
+Credit:
+
+lokerxx (finder)
+
+References:
+
+https://nvd.nist.gov/vuln/detail/CVE-2026-34197
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-45505
diff --git a/output/security-advisories.data/CVE-2026-46605-announcement.txt 
b/output/security-advisories.data/CVE-2026-46605-announcement.txt
new file mode 100644
index 000000000..ca3c67d99
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-46605-announcement.txt
@@ -0,0 +1,27 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and 
v5.19.7 allows authenticated connections to remove existing destinations with 
proper permissions.
+
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache 
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the 
issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-46605
diff --git a/output/security-advisories.data/CVE-2026-49157-announcement.txt 
b/output/security-advisories.data/CVE-2026-49157-announcement.txt
new file mode 100644
index 000000000..f587ec6ae
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-49157-announcement.txt
@@ -0,0 +1,25 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Incorrect Default Permissions vulnerability in Apache ActiveMQ.
+
+This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+The default Jolokia authorization settings granted non-admin (low-privilege) 
web-login accounts access to Jolokia operations which allowed executing broker 
management operations meant for admins such as addQueue and removeQueue.
+
+Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the 
issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49157
diff --git a/output/security-advisories.data/CVE-2026-49270-announcement.txt 
b/output/security-advisories.data/CVE-2026-49270-announcement.txt
new file mode 100644
index 000000000..8ab0d33ac
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-49270-announcement.txt
@@ -0,0 +1,28 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 5.14.0 before 
5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.6
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 5.14.0 before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ All (org.apache.activemq:apache-activemq) 5.14.0 before 
5.19.7
+- Apache ActiveMQ All (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Exposure of Sensitive Information Through Metadata vulnerability in Apache 
ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.
+
+Brokers that are configured with a network connector with syncDurableSubs set 
to true, are vulnerable to an unauthenticated attacker who can receive a list 
of all durable topic subscriptions in the broker, including client identifiers, 
subscription names, topic destinations, and JMS selector expressions, by 
sending a BrokerInfo command. The broker incorrectly responds without first 
ensuring the connection is authenticated.
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 
6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ 
All: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the 
issue.
+
+Credit:
+
+Basel Khaled (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49270


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact


Reply via email to