CVE-2023-50780

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-50780

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50780.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-50780

Aliases

GHSA-443j-grxv-2pgv

Published

2024-10-14T16:15:03Z

Modified

2024-10-16T23:49:39.975951Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE.

Users are recommended to upgrade to version 2.29.0 or later, which fixes the issue.

References

https://lists.apache.org/thread/63b78shqz312phsx7v1ryr7jv7bprg58

Affected packages

Git / github.com/apache/activemq-artemis

Affected ranges

Type: GIT
Repo: https://github.com/apache/activemq-artemis
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2be5c54cd0321a5bf7e711f2eb6e096a276e9604

Affected versions

1.*

1.0.0

1.1.0

1.2.0

1.3.0

1.4.0

1.5.0

1.5.1

2.*

2.0.0

2.1.0

2.10.0

2.10.1

2.11.0

2.12.0

2.13.0

2.14.0

2.15.0

2.16.0

2.17.0

2.18.0

2.19.0

2.2.0

2.20.0

2.21.0

2.22.0

2.23.0

2.24.0

2.25.0

2.26.0

2.27.0

2.28.0

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.8.0

2.8.1

2.9.0