CVE-2024-32114

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-32114

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32114.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-32114

Aliases

Published

2024-05-02T09:15:06Z

Modified

2025-02-12T01:48:29.787700Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API).

To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement: <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="securityConstraint" /> <property name="pathSpec" value="/" /> </bean>

Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

References

https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt

Affected packages

Git / github.com/apache/activemq

Affected ranges

Type: GIT
Repo: https://github.com/apache/activemq
Events: Introduced

14bac13f40958c1a1d3d198051eed32facc4abd1

Fixed

ceea6dac1c9ebf82956c46707d44e9b0b157d39a

Affected versions

activemq-6.*

activemq-6.0.0

activemq-6.1.0

activemq-6.1.1