Hi James- FYI— updated ActiveMQ releases for 6.1.x, 6.0.x, 5.18.x & 5.17.x are underway.
This CVE does not appear to apply to ActiveMQ, since ActiveMQ does not use the vulnerable class 'UriComponentsBuilder '. Additionally, this issue can be readily avoided by disabling the web console which eliminates usage of the spring-web dependency. Thanks, Matt Pavlovich > On Feb 26, 2024, at 5:24 PM, James Velasco <[email protected]> > wrote: > > Apparently ActiveMQ 6.0.1 uses spring-web v6.0.14 which is impacted by > CVE-2024-22243. > > See https://spring.io/security/cve-2024-22243. > > — > > James Velasco > Chief Computer Scientist > > Office: +1 (713) 975-7434 > [email protected] <mailto:[email protected]> > INT | Empowering Visualization >
