Great, thanks for the update. -----Original Message----- From: Jean-Baptiste Onofré <[email protected]> Sent: Sunday, October 26, 2025 3:00 AM To: [email protected] Cc: [email protected] Subject: Re: ActiveMQ Classic 5.19.0 and CVE-2024-38819
Hi Yes I confirm that ActiveMQ is not vulnerable to this CVE, we don’t use FileSystemReaource. Also 6.1.8 has been released with fixed spring version (for the scanner) and 6.2.0 is in prep. Regards JB Le sam. 25 oct. 2025 à 22:26, Culler, William <[email protected]> a écrit : > The corporate security team keeps flagging our ActiveMQ 5.19.0 > installation for: > > CVE-2024-38819 is a path traversal vulnerability in Spring Framework > (versions 5.3.x-6.1.x) when using functional routing APIs (WebMvc.fn > or > WebFlux.fn) with FileSystemResource. > > Based on what I can tell, the following is true: > > 1. ActiveMQ 5.19.0 does not use Spring functional routing APIs internally. > 2. The vulnerability only applies if the application explicitly uses > FileSystemResource in Spring functional routing, which is not part of > ActiveMQ's core functionality. > > Can anyone confirm this is the case so that I can file an exception > with our security team with a "statement from the Vendor" that > ActiveMQ 5.19.0 is not vulnerable? > > Thanks. > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
