This is an automated email from the ASF dual-hosted git repository.
asf-gitbox-commits pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 72ef61a5f Automatic Site Publish by Buildbot
72ef61a5f is described below
commit 72ef61a5f7b201a45a95b5a78997fbc50a5304cd
Author: buildbot <[email protected]>
AuthorDate: Sun May 31 16:14:43 2026 +0000
Automatic Site Publish by Buildbot
---
output/components/classic/security.html | 6 ++++
.../CVE-2026-42253-announcement.txt | 31 +++++++++++++++++++
.../CVE-2026-42588-announcement.txt | 34 +++++++++++++++++++++
.../CVE-2026-45505-announcement.txt | 35 ++++++++++++++++++++++
.../CVE-2026-46605-announcement.txt | 27 +++++++++++++++++
.../CVE-2026-49157-announcement.txt | 25 ++++++++++++++++
.../CVE-2026-49270-announcement.txt | 28 +++++++++++++++++
7 files changed, 186 insertions(+)
diff --git a/output/components/classic/security.html
b/output/components/classic/security.html
index b41607bf5..982befbb4 100644
--- a/output/components/classic/security.html
+++ b/output/components/classic/security.html
@@ -97,6 +97,12 @@
<p>See the main <a href="../../security-advisories">Security Advisories</a>
page for details for other components and general information such as reporting
new security issues.</p>
<ul>
+ <li><a
href="../../security-advisories.data/CVE-2026-49270-announcement.txt">CVE-2026-49270</a>
- Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)</li>
+ <li><a
href="../../security-advisories.data/CVE-2026-49157-announcement.txt">CVE-2026-49157</a>
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default</li>
+ <li><a
href="../../security-advisories.data/CVE-2026-46605-announcement.txt">CVE-2026-46605</a>
- Incomplete authorization during destination removal</li>
+ <li><a
href="../../security-advisories.data/CVE-2026-45505-announcement.txt">CVE-2026-45505</a>
- Jolokia “addNetworkConnector” Discovery Wrapper Bypass</li>
+ <li><a
href="../../security-advisories.data/CVE-2026-42588-announcement.txt">CVE-2026-42588</a>
- Remote Code Execution via Jolokia addNetworkConnector</li>
+ <li><a
href="../../security-advisories.data/CVE-2026-42253-announcement.txt">CVE-2026-42253</a>
- HTTP Response Header Injection via JMS Message Properties</li>
<li><a
href="../../security-advisories.data/CVE-2026-41044-announcement.txt">CVE-2026-41044</a>
- Authenticated user can perform RCE via DestinationView MBean exposed by
Jolokia</li>
<li><a
href="../../security-advisories.data/CVE-2026-41043-announcement.txt">CVE-2026-41043</a>
- ActiveMQ Web Console - XSS vulnerability when browsing queues</li>
<li><a
href="../../security-advisories.data/CVE-2026-40466-announcement.txt">CVE-2026-40466</a>
- Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI</li>
diff --git a/output/security-advisories.data/CVE-2026-42253-announcement.txt
b/output/security-advisories.data/CVE-2026-42253-announcement.txt
new file mode 100644
index 000000000..5be1d15ee
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-42253-announcement.txt
@@ -0,0 +1,31 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.7
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.6
+
+Description:
+
+Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
+
+The MessageServlet in the ActiveMQ web console API copies every JMS message
+property into an HTTP response header without any validation. This can allow
overwriting and injecting security headers by setting them on JMS messages that
are returned by the servlet.
+
+This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6;
Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the
issue. The MessageServlet has now been deprecated and disabled by default.
+
+Credit:
+
+Vishal Shukla (finder)
+pyn3rd (finder)
+uname (finder)
+4ra1n (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-42253
diff --git a/output/security-advisories.data/CVE-2026-42588-announcement.txt
b/output/security-advisories.data/CVE-2026-42588-announcement.txt
new file mode 100644
index 000000000..fb0d8e9d8
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-42588-announcement.txt
@@ -0,0 +1,34 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All,
Apache ActiveMQ.
+
+Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/
on the web console. The default Jolokia access policy permits exec operations
on all ActiveMQ MBeans (org.apache.activemq:*), including
+BrokerService.addNetworkConnector(String).
+
+An authenticated attacker can invoke these operations with a crafted discovery
URI that triggers the VM transport's brokerConfig parameter using the
"masterslave:// " URL which can allow loading a Spring XML application context
using ResourceXmlApplicationContext.
+Because Spring's ResourceXmlApplicationContext instantiates all singleton
beans before the BrokerService validates the configuration, arbitrary code
execution occurs on the broker's JVM through bean factory methods such as
Runtime.exec().
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the
issue.
+
+Credit:
+
+pyn3rd (finder)
+uname (finder)
+4ra1n (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-42588
diff --git a/output/security-advisories.data/CVE-2026-45505-announcement.txt
b/output/security-advisories.data/CVE-2026-45505-announcement.txt
new file mode 100644
index 000000000..d0dd86256
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-45505-announcement.txt
@@ -0,0 +1,35 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All,
Apache ActiveMQ.
+
+
+Non-parenthesized discovery wrappers such as `masterslave:vm://...,...`
+and `static:vm://...` incorrectly pass validation allowing bypass of fix in
CVE-2026-34197.
+
+Original description from CVE-2026-34197.
+
+Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the
web console. The default Jolokia access policy permits exec operations on all
ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and
BrokerService.addConnector(String). An authenticated attacker can invoke these
operations with a crafted discovery UR that triggers the VM transport's
brokerConfig parameter to load a remote Spring XML application context using
ResourceXmlAp [...]
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the
issue.
+
+Credit:
+
+lokerxx (finder)
+
+References:
+
+https://nvd.nist.gov/vuln/detail/CVE-2026-34197
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-45505
diff --git a/output/security-advisories.data/CVE-2026-46605-announcement.txt
b/output/security-advisories.data/CVE-2026-46605-announcement.txt
new file mode 100644
index 000000000..ca3c67d99
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-46605-announcement.txt
@@ -0,0 +1,27 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and
v5.19.7 allows authenticated connections to remove existing destinations with
proper permissions.
+
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the
issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-46605
diff --git a/output/security-advisories.data/CVE-2026-49157-announcement.txt
b/output/security-advisories.data/CVE-2026-49157-announcement.txt
new file mode 100644
index 000000000..f587ec6ae
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-49157-announcement.txt
@@ -0,0 +1,25 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Incorrect Default Permissions vulnerability in Apache ActiveMQ.
+
+This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
+
+The default Jolokia authorization settings granted non-admin (low-privilege)
web-login accounts access to Jolokia operations which allowed executing broker
management operations meant for admins such as addQueue and removeQueue.
+
+Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the
issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49157
diff --git a/output/security-advisories.data/CVE-2026-49270-announcement.txt
b/output/security-advisories.data/CVE-2026-49270-announcement.txt
new file mode 100644
index 000000000..8ab0d33ac
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-49270-announcement.txt
@@ -0,0 +1,28 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 5.14.0 before
5.19.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.6
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 5.14.0 before 5.19.7
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
+- Apache ActiveMQ All (org.apache.activemq:apache-activemq) 5.14.0 before
5.19.7
+- Apache ActiveMQ All (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
+
+Description:
+
+Exposure of Sensitive Information Through Metadata vulnerability in Apache
ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.
+
+Brokers that are configured with a network connector with syncDurableSubs set
to true, are vulnerable to an unauthenticated attacker who can receive a list
of all durable topic subscriptions in the broker, including client identifiers,
subscription names, topic destinations, and JMS selector expressions, by
sending a BrokerInfo command. The broker incorrectly responds without first
ensuring the connection is authenticated.
+This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before
6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ
All: before 5.19.7, from 6.0.0 before 6.2.6.
+
+Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the
issue.
+
+Credit:
+
+Basel Khaled (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49270
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact