Advisories for Maven/Org.apache.activemq/Activemq-Client package

2026

Apache ActiveMQ: Denial of Service via Out of Memory vulnerability

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are …

Apache ActiveMQ: Improper validation and restriction of a classpath path name

Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially …

2025

Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: …

2023

False positive

This advisory has been marked as a false positive.

Apache ActiveMQ is vulnerable to Remote Code Execution

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

2022

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a message."

Improper Input Validation in Apache ActiveMQ

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types.

Improper Authentication

The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.

Withdrawn Advisory: Improper Restriction of XML External Entity Reference in Apache ActiveMQ

Withdrawn Advisory This advisory has been withdrawn because further investgation revealed that this is not a security issue. This link is maintained to preserve external references. Original Description XML external entity (XXE) vulnerability in the XPath selector component in Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows remote attackers to have unspecified impact via unknown vectors.

Improper Restriction of XML External Entity Reference

XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.

Improper Neutralization of Special Elements used in an OS Command in Apache ActiveMQ

The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.

Improper Neutralization of Input During Web Page Generation in Apache ActiveMQ

The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.

Improper Input Validation in Apache ActiveMQ

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Improper Authentication

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.

Advisories for Maven/Org.apache.activemq/Activemq-Client package

Apache ActiveMQ: Denial of Service via Out of Memory vulnerability

Apache ActiveMQ: Improper validation and restriction of a classpath path name

Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation

False positive

Apache ActiveMQ is vulnerable to Remote Code Execution

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Input Validation in Apache ActiveMQ

Improper Authentication

Withdrawn Advisory: Improper Restriction of XML External Entity Reference in Apache ActiveMQ

Improper Restriction of XML External Entity Reference

Improper Neutralization of Special Elements used in an OS Command in Apache ActiveMQ

Improper Neutralization of Input During Web Page Generation in Apache ActiveMQ

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Improper Input Validation in Apache ActiveMQ

Improper Authentication

Improper Input Validation

Cross-site Scripting

Improper Authentication

Improper Input Validation

Code Injection

Improper Certificate Validation