Severity: moderate 

Affected versions:

- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.8
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.7
- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7

Description:

Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache 
ActiveMQ, Apache ActiveMQ All.

An attacker that has access to publish or modify entries in LDAP that match the 
configured searchBase and searchFilter can instantiate denied transports inside 
the broker JVM. This can be used to fetch an attacker URL and spawn a second 
BrokerService inside the same JVM.
This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 
6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ 
All: before 5.19.8, from 6.0.0 before 6.2.7.


Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the 
issue.

Credit:

@Add Content (finder)

References:

https://activemq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-49434


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact


Reply via email to