Debian Activemq vulnerabilities

CVE-2026-34197 [HIGH] CVE-2026-34197: activemq - Improper Input Validation, Improper Control of Generation of Code ('Code Injecti... Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerServi

CVE-2026-40046 [MEDIUM] CVE-2026-40046: activemq bookworm: resolved bullseye: resolved sid: resolved trixie: resolved

CVE-2025-66168 [MEDIUM] CVE-2025-66168: activemq - Apache ActiveMQ does not properly validate the remaining length field which may ... Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected beha

CVE-2025-27533 [MEDIUM] CVE-2025-27533: activemq - Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. D... Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the av

CVE-2024-32114 [HIGH] CVE-2024-32114: activemq - In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web con... In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destin

CVE-2023-46604 [CRITICAL] CVE-2023-46604: activemq - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. T... The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate an

CVE-2022-41678 [HIGH] CVE-2022-41678: activemq - Once an user is authenticated on Jolokia, he can potentially trigger arbitrary c... Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#ex

CVE-2021-26117 [HIGH] CVE-2021-26117: activemq - The optional ActiveMQ LDAP login module can be configured to use anonymous acces... The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password. Scope: local bookworm: resolv

CVE-2020-13920 [MEDIUM] CVE-2020-13920: activemq - Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI regis... Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in

CVE-2020-13947 [MEDIUM] CVE-2020-13947: activemq - An instance of a cross-site scripting vulnerability was identified to be present... An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0. Scope: local bookworm: resolved (fixed in 5.16.1-1) bullseye: resolved (fixed in 5.16.1-1) sid: resolved (fixed in 5.16.1-1) trixie: resolved (fixed in 5.16.1-1)

CVE-2020-1941 [MEDIUM] CVE-2020-1941: activemq - In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in... In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. Scope: local bookworm: resolved (fixed in 5.16.0-1) bullseye: resolved (fixed in 5.16.0-1) sid: resolved (fixed in 5.16.0-1) trixie: resolved (fixed in 5.16.0-1)

CVE-2020-11998 [CRITICAL] CVE-2020-11998: activemq - A regression has been introduced in the commit preventing JMX re-bind. By passin... A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.mana

CVE-2019-0222 [HIGH] CVE-2019-0222: activemq - In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to ... In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. Scope: local bookworm: resolved (fixed in 5.15.9-1) bullseye: resolved (fixed in 5.15.9-1) sid: resolved (fixed in 5.15.9-1) trixie: resolved (fixed in 5.15.9-1)

CVE-2018-8006 [MEDIUM] CVE-2018-8006: activemq - An instance of a cross-site scripting vulnerability was identified to be present... An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter. Scope: local bookworm: resolved (fixed in 5.15.6-1) bullseye: resolved (fixed in 5.15.6-1) si

CVE-2018-11775 [HIGH] CVE-2018-11775: activemq - TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 wa... TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. Scope: local bookworm: resolved (fixed in 5.15.6-1) bullseye: resolved (fixed in 5.15.6-1) sid: resolved (fixed

CVE-2017-15709 [LOW] CVE-2017-15709: activemq - When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was fo... When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS and kernel version) are exposed as plain text. Scope: local bookworm: resolved (fixed in 5.15.3-1) bullseye: resolved (fixed in 5.15.3-1) sid: resolved (fixed in 5.15.3-1) trixie: resolved (fixed in 5.15.3-1)

CVE-2016-3088 [CRITICAL] CVE-2016-3088: activemq - The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remot... The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. Scope: local bookworm: resolved (fixed in 5.14.0+dfsg-1) bullseye: resolved (fixed in 5.14.0+dfsg-1) sid: resolved (fixed in 5.14.0+dfsg-1) trixie: resolved (fixed in 5.14.0+dfsg-1)

CVE-2016-0782 [MEDIUM] CVE-2016-0782: activemq - The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x befo... The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue. Scope: local bookworm: resolved (fixed in 5.13.2+dfsg-1) bul

CVE-2016-0734 [MEDIUM] CVE-2016-0734: activemq - The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does n... The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element. Scope: local bookworm: resolved bullseye: resolved sid: resolved trixie: resolved

CVE-2016-6810 [MEDIUM] CVE-2016-6810: activemq - In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vuln... In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation. Scope: local bookworm: resolved (fixed in 5.14.2+dfsg-1) bullseye: resolved (fixed in 5.14.2+dfsg-1) sid: resolved (fixed in 5.14.2+dfsg-