Search for packages
| purl | pkg:deb/debian/activemq@5.16.1-1 |
| Next non-vulnerable version | 5.17.6+dfsg-2 |
| Latest non-vulnerable version | 5.17.6+dfsg-2 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-f5x2-zvxa-yba5
Aliases: CVE-2023-46604 GHSA-crg9-44h2-xw35 |
False positive This advisory has been marked as a false positive. |
Affected by 1 other vulnerability. |
|
VCID-k4jb-36cp-1fc4
Aliases: CVE-2022-41678 GHSA-53v4-42fg-g287 |
False positive This advisory has been marked as a false positive. |
Affected by 1 other vulnerability. |
|
VCID-q6zs-spcv-v7ey
Aliases: CVE-2025-27533 GHSA-whxr-3p84-rf3c |
Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users may implement mutual TLS to mitigate the risk on affected brokers. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-18k1-3h2s-8uex | Apache ActiveMQ webconsole admin GUI is open to XSS In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. |
CVE-2020-1941
GHSA-cc94-3v9c-7rm8 |
| VCID-37ws-cqf7-4udm | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0. |
CVE-2020-13947
GHSA-66gw-ch5v-74v8 |
| VCID-6fqa-fzda-x3ej | Improper Authentication in Apache ActiveMQ and Apache Artemis The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password. |
CVE-2021-26117
GHSA-9mgm-gcq8-86wq |
| VCID-9z4y-wq57-vyaf | Code Injection In Apache ActiveMQ, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. |
CVE-2019-0222
GHSA-jpv3-g4cc-6vfx |
| VCID-a3nb-p5p6-zbf7 | Missing Authentication for Critical Function Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. |
CVE-2020-13920
GHSA-xgrx-xpv2-6vp4 |