This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new e6a612994 NO-JIRA updates for CVE-2023-50780
e6a612994 is described below
commit e6a61299453ea24f49f8497aa581a9d85aeaf25a
Author: Justin Bertram <[email protected]>
AuthorDate: Mon Oct 14 11:18:30 2024 -0500
NO-JIRA updates for CVE-2023-50780
---
.../CVE-2023-50780-announcement.txt | 24 ++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/security-advisories.data/CVE-2023-50780-announcement.txt
b/src/security-advisories.data/CVE-2023-50780-announcement.txt
new file mode 100644
index 000000000..c012cd921
--- /dev/null
+++ b/src/security-advisories.data/CVE-2023-50780-announcement.txt
@@ -0,0 +1,24 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ Artemis before 2.29.0
+
+Description:
+
+Apache ActiveMQ Artemis allows access to diagnostic information and controls
through MBeans, which are also exposed through the authenticated Jolokia
endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This
MBean is not meant for exposure to non-administrative users. This could
eventually allow an authenticated attacker to write arbitrary files to the
filesystem and indirectly achieve RCE.
+
+
+Users are recommended to upgrade to version 2.29.0 or later, which fixes the
issue.
+
+This issue is being tracked as ARTEMIS-4150
+
+Credit:
+
+Matei "Mal" Badanoiu (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2023-50780
+https://issues.apache.org/jira/browse/ARTEMIS-4150
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
