Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-41678

CWE-287 — Improper Authentication CWE-502 — Deserialization of Untrusted Data11 documents8 sources

Severity

8.8HIGH

EPSS

93.6%

top 0.16%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Software Foundation Apache Activemq Apache Activemq

Timeline

PublishedNov 28

Latest updateFeb 14

Description

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This c…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDapache/activemq5.17.0 — 5.17.4+1

▶Mavenorg.apache.activemq:apache-activemq5.17.0 — 5.17.4+1

▶CVEListV5apache_software_foundation/apache_activemq5.17.0 — 5.17.4+1

▶Debianactivemq< 5.16.1-1+deb11u1+2

▶Ubuntuactivemq< 5.16.1-1ubuntu0.1

🔴Vulnerability Details

OSV

activemq vulnerabilities↗2025-02-14

▶

OSV

CVE-2022-41678: Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution↗2023-11-28

▶

GHSA

Apache ActiveMQ Deserialization of Untrusted Data vulnerability↗2023-11-28

▶

OSV

Apache ActiveMQ Deserialization of Untrusted Data vulnerability↗2023-11-28

▶

CVEList

Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE↗2023-11-28

▶

💥Exploits & PoCs

Nuclei

Apache ActiveMQ < 5.16.5/5.17.3 - Remote Code Execution

▶

📋Vendor Advisories

Ubuntu

Apache ActiveMQ vulnerabilities↗2025-02-14

▶

Ubuntu

Apache ActiveMQ vulnerabilities↗2024-07-23

▶

Red Hat

ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE↗2023-11-28

▶

Debian

CVE-2022-41678: activemq - Once an user is authenticated on Jolokia, he can potentially trigger arbitrary c...↗2022

▶