This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new e8ccd2c16 Add new cves
e8ccd2c16 is described below
commit e8ccd2c1642e817de19be323940ba1ac258f50b7
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Sun May 31 12:12:58 2026 -0400
Add new cves
---
src/components/classic/security.md | 6 ++++
.../CVE-2026-42253-announcement.txt | 31 +++++++++++++++++++
.../CVE-2026-42588-announcement.txt | 34 +++++++++++++++++++++
.../CVE-2026-45505-announcement.txt | 35 ++++++++++++++++++++++
.../CVE-2026-46605-announcement.txt | 27 +++++++++++++++++
.../CVE-2026-49157-announcement.txt | 25 ++++++++++++++++
.../CVE-2026-49270-announcement.txt | 28 +++++++++++++++++
7 files changed, 186 insertions(+)
diff --git a/src/components/classic/security.md
b/src/components/classic/security.md
index 1fb2f82e0..24222e7f3 100644
--- a/src/components/classic/security.md
+++ b/src/components/classic/security.md
@@ -9,6 +9,12 @@ Details of security problems fixed in released versions of
Apache ActiveMQ Class
See the main [Security Advisories](../../security-advisories) page for details
for other components and general information such as reporting new security
issues.
+*
[CVE-2026-49270](../../security-advisories.data/CVE-2026-49270-announcement.txt)
- Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)
+*
[CVE-2026-49157](../../security-advisories.data/CVE-2026-49157-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
+*
[CVE-2026-46605](../../security-advisories.data/CVE-2026-46605-announcement.txt)
- Incomplete authorization during destination removal
+*
[CVE-2026-45505](../../security-advisories.data/CVE-2026-45505-announcement.txt)
- Jolokia "addNetworkConnector" Discovery Wrapper Bypass
+*
[CVE-2026-42588](../../security-advisories.data/CVE-2026-42588-announcement.txt)
- Remote Code Execution via Jolokia addNetworkConnector
+*
[CVE-2026-42253](../../security-advisories.data/CVE-2026-42253-announcement.txt)
- HTTP Response Header Injection via JMS Message Properties
*
[CVE-2026-41044](../../security-advisories.data/CVE-2026-41044-announcement.txt)
- Authenticated user can perform RCE via DestinationView MBean exposed by
Jolokia
*
[CVE-2026-41043](../../security-advisories.data/CVE-2026-41043-announcement.txt)
- ActiveMQ Web Console - XSS vulnerability when browsing queues
*
[CVE-2026-40466](../../security-advisories.data/CVE-2026-40466-announcement.txt)
- Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI
diff --git a/src/security-advisories.data/CVE-2026-42253-announcement.txt
b/src/security-advisories.data/CVE-2026-42253-announcement.txt
new file mode 100644
index 000000000..5be1d15ee
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-42253-announcement.txt
@@ -0,0 +1,31 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.7
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.6
+
+Description:
+
+Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
+
+The MessageServlet in the ActiveMQ web console API copies every JMS message
+property into an HTTP response header without any validation. This can allow
overwriting and injecting security headers by setting them on JMS messages that
are returned by the servlet.
+
+This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6;
Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the
issue. The MessageServlet has now been deprecated and disabled by default.
+
+Credit:
+
+Vishal Shukla (finder)
+pyn3rd (finder)
+uname (finder)
+4ra1n (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-42253
diff --git a/src/security-advisories.data/CVE-2026-42588-announcement.txt
b/src/security-advisories.data/CVE-2026-42588-announcement.txt
new file mode 100644
index 000000000..fb0d8e9d8
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-42588-announcement.txt
@@ -0,0 +1,34 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All,
Apache ActiveMQ.
+
+Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/
on the web console. The default Jolokia access policy permits exec operations
on all ActiveMQ MBeans (org.apache.activemq:*), including
+BrokerService.addNetworkConnector(String).
+
+An authenticated attacker can invoke these operations with a crafted discovery
URI that triggers the VM transport's brokerConfig parameter using the
"masterslave:// " URL which can allow loading a Spring XML application context
using ResourceXmlApplicationContext.
+Because Spring's ResourceXmlApplicationContext instantiates all singleton
beans before the BrokerService validates the configuration, arbitrary code
execution occurs on the broker's JVM through bean factory methods such as
Runtime.exec().
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the
issue.
+
+Credit:
+
+pyn3rd (finder)
+uname (finder)
+4ra1n (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-42588
diff --git a/src/security-advisories.data/CVE-2026-45505-announcement.txt
b/src/security-advisories.data/CVE-2026-45505-announcement.txt
new file mode 100644
index 000000000..d0dd86256
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-45505-announcement.txt
@@ -0,0 +1,35 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All,
Apache ActiveMQ.
+
+
+Non-parenthesized discovery wrappers such as `masterslave:vm://...,...`
+and `static:vm://...` incorrectly pass validation allowing bypass of fix in
CVE-2026-34197.
+
+Original description from CVE-2026-34197.
+
+Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the
web console. The default Jolokia access policy permits exec operations on all
ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and
BrokerService.addConnector(String). An authenticated attacker can invoke these
operations with a crafted discovery UR that triggers the VM transport's
brokerConfig parameter to load a remote Spring XML application context using
ResourceXmlAp [...]
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the
issue.
+
+Credit:
+
+lokerxx (finder)
+
+References:
+
+https://nvd.nist.gov/vuln/detail/CVE-2026-34197
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-45505
diff --git a/src/security-advisories.data/CVE-2026-46605-announcement.txt
b/src/security-advisories.data/CVE-2026-46605-announcement.txt
new file mode 100644
index 000000000..ca3c67d99
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-46605-announcement.txt
@@ -0,0 +1,27 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and
v5.19.7 allows authenticated connections to remove existing destinations with
proper permissions.
+
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the
issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-46605
diff --git a/src/security-advisories.data/CVE-2026-49157-announcement.txt
b/src/security-advisories.data/CVE-2026-49157-announcement.txt
new file mode 100644
index 000000000..f587ec6ae
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-49157-announcement.txt
@@ -0,0 +1,25 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Incorrect Default Permissions vulnerability in Apache ActiveMQ.
+
+This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+The default Jolokia authorization settings granted non-admin (low-privilege)
web-login accounts access to Jolokia operations which allowed executing broker
management operations meant for admins such as addQueue and removeQueue.
+
+Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the
issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49157
diff --git a/src/security-advisories.data/CVE-2026-49270-announcement.txt
b/src/security-advisories.data/CVE-2026-49270-announcement.txt
new file mode 100644
index 000000000..8ab0d33ac
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-49270-announcement.txt
@@ -0,0 +1,28 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 5.14.0 before
5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.6
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 5.14.0 before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ All (org.apache.activemq:apache-activemq) 5.14.0 before
5.19.7
+- Apache ActiveMQ All (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Exposure of Sensitive Information Through Metadata vulnerability in Apache
ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.
+
+Brokers that are configured with a network connector with syncDurableSubs set
to true, are vulnerable to an unauthenticated attacker who can receive a list
of all durable topic subscriptions in the broker, including client identifiers,
subscription names, topic destinations, and JMS selector expressions, by
sending a BrokerInfo command. The broker incorrectly responds without first
ensuring the connection is authenticated.
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before
6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ
All: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the
issue.
+
+Credit:
+
+Basel Khaled (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49270
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
