CVE-2023-50780: Apache ActiveMQ Artemis: Authenticated users could perform RCE via Jolokia MBeans

October 14, 2024 (updated March 20, 2025)

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE.

Users are recommended to upgrade to version 2.29.0 or later, which fixes the issue.

References

github.com/advisories/GHSA-443j-grxv-2pgv
github.com/apache/activemq-artemis
github.com/apache/activemq-artemis/commit/cfb585eaf61d570eecd65c6ad0e92282df7d3869
issues.apache.org/jira/browse/ARTEMIS-4150
lists.apache.org/thread/63b78shqz312phsx7v1ryr7jv7bprg58
nvd.nist.gov/vuln/detail/CVE-2023-50780

Code Behaviors & Features

Detect and mitigate CVE-2023-50780 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →