CVE-2025-27427

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

2.3LOW

EPSS

0.7%

top 26.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Activemq Artemis Apache Software Foundation Apache Activemq Artemis

Timeline

PublishedApr 1

Description

A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. When combined with the send permission and automatic queue creation a user could successfully send a message with a routing-type not supported by the address when that message should actually be rejected on the ba…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDapache/activemq_artemis2.0.0 — 2.40.0

▶Mavenorg.apache.activemq:artemis-server2.0.0 — 2.40.0

▶CVEListV5apache_software_foundation/apache_activemq_artemis2.0.0 — 2.39.0

🔴Vulnerability Details

OSV

Apache ActiveMQ Artemis User Without Create Address Permissions can Modify Address Routing-Type↗2025-04-01

▶

GHSA

Apache ActiveMQ Artemis User Without Create Address Permissions can Modify Address Routing-Type↗2025-04-01

▶

CVEList

Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permission↗2025-04-01

▶

📋Vendor Advisories

Red Hat

org.apache.activemq/artemis-core-client: Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permission↗2025-04-01

▶