CVE-2025-27391

CWE-532 — Log File Information Exposure6 documents6 sources

Severity

6.8MEDIUM

EPSS

0.3%

top 50.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Activemq Artemis Apache Activemq Artemis

Timeline

PublishedApr 9

Description

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users. Users are recommended to upgrade to version 2.40.0, which fixes the issue.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Affected Packages3 packages

▶NVDapache/activemq_artemis1.5.1 — 2.40.0

▶Mavenorg.apache.activemq:artemis-project1.5.1 — 2.40.0

▶CVEListV5apache_software_foundation/apache_activemq_artemis1.5.1 — 2.40.0

🔴Vulnerability Details

CVEList

Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log↗2025-04-09

▶

GHSA

Apache ActiveMQ Artemis Vulnerable to Insertion of Sensitive Information into Log File↗2025-04-09

▶

OSV

Apache ActiveMQ Artemis Vulnerable to Insertion of Sensitive Information into Log File↗2025-04-09

▶

📋Vendor Advisories

Red Hat

org.apache.activemq/artemis-core-client: Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log↗2025-04-09

▶

Microsoft

wifi: wilc1000: do not realloc workqueue everytime an interface is added↗2024-05-14

▶