Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00NDNqLWdyeHYtMnBnds4ABAPx

Apache ActiveMQ Artemis: Authenticated users could perform RCE via Jolokia MBeans

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE.

Users are recommended to upgrade to version 2.29.0 or later, which fixes the issue.

Permalink: https://github.com/advisories/GHSA-443j-grxv-2pgv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NDNqLWdyeHYtMnBnds4ABAPx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 1 day ago
Updated: 1 day ago

Identifiers: GHSA-443j-grxv-2pgv, CVE-2023-50780
References:

Repository: https://github.com/apache/activemq-artemis
Blast Radius: 0.0

Affected Packages

maven:org.apache.activemq:artemis-cli

Dependent packages: 45
Dependent repositories: 94
Downloads:
Affected Version Ranges: < 2.29.0
Fixed in: 2.29.0
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.8.0, 2.8.1, 2.9.0, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.17.0, 2.18.0, 2.19.0, 2.19.1, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.23.1, 2.24.0, 2.25.0, 2.26.0, 2.27.0, 2.27.1, 2.28.0
All unaffected versions: 2.29.0, 2.30.0, 2.31.0, 2.31.1, 2.31.2, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0