Security Advisories - ActiveMQ Classic

Details of security problems fixed in released versions of Apache ActiveMQ Classic 6.x and 5.x are detailed below.

See the main Security Advisories page for details for other components and general information such as reporting new security issues.

• CVE-2023-46604 - Unbounded deserialization causes ActiveMQ Classic to be vulnerable to a remote code execution (RCE) attack
• CVE-2022-41678 - Deserialization vulnerability on Jolokia that allows authenticated users to perform remote code execution (RCE)
• CVE-2021-26117 - ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bind
• CVE-2020-13947 - XSS in WebConsole
• CVE-2020-13920 - JMX MITM vulnerability
• CVE-2020-11998 - JMX remote client could execute arbitrary code
• CVE-2020-1941 - XSS in WebConsole
• CVE-2019-0222 - Corrupt MQTT frame can cause broker shutdown
• CVE-2018-8006 - ActiveMQ Web Console - Cross-Site Scripting
• CVE-2018-11775 - Missing TLS Hostname Verification
• CVE-2017-15709 - Information Leak
• CVE-2015-7559 - DoS in client via shutdown command
• CVE-2016-6810 - ActiveMQ Web Console - Cross-Site Scripting
• CVE-2016-0734 - ActiveMQ Web Console - Clickjacking
• CVE-2016-0782 - ActiveMQ Web Console - Cross-Site Scripting
• CVE-2016-3088 - ActiveMQ Fileserver web application vulnerabilities
• CVE-2015-5254 - Unsafe deserialization in ActiveMQ
• CVE-2015-1830 - Path traversal leading to unauthenticated RCE in ActiveMQ Classic
• CVE-2014-3576 - Remote Unauthenticated Shutdown of Broker (DoS)
• CVE-2014-3600 - Apache ActiveMQ XXE with XPath selectors
• CVE-2014-3612 - ActiveMQ JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation
• CVE-2014-8110 - ActiveMQ Web Console - Cross-Site Scripting