Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.activemq/artemis-server@2.24.0

Type maven

Namespace org.apache.activemq

Name artemis-server

Version 2.24.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.50.0

Latest_non_vulnerable_version 2.50.0

Affected_by_vulnerabilities

url VCID-5r98-x93c-3ffh

vulnerability_id VCID-5r98-x93c-3ffh

summary

A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. When combined with the send permission and automatic queue creation a user could successfully send a message with a routing-type not supported by the address when that message should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address.

This issue affects Apache ActiveMQ Artemis from 2.0.0 through 2.39.0.

Users are recommended to upgrade to version 2.40.0 which fixes the issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27427.json

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27427.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-27427

reference_id

reference_type

scores

value	0.00358
scoring_system	epss
scoring_elements	0.58554
published_at	2026-06-12T12:55:00Z

value	0.00358
scoring_system	epss
scoring_elements	0.58442
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-27427

reference_url

https://github.com/apache/activemq-artemis

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/activemq-artemis

reference_url

https://github.com/apache/activemq-artemis/commit/2216a75a57f098295abb283d556c8b8bda91324d

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/activemq-artemis/commit/2216a75a57f098295abb283d556c8b8bda91324d

reference_url

https://github.com/apache/activemq-artemis/commit/6ab458015689303db8878941abe1bc973299fc2e

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/activemq-artemis/commit/6ab458015689303db8878941abe1bc973299fc2e

reference_url

https://issues.apache.org/jira/browse/ARTEMIS-5346

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://issues.apache.org/jira/browse/ARTEMIS-5346

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-27427

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-27427

reference_url

http://www.openwall.com/lists/oss-security/2025/03/31/1

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2025/03/31/1

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2356520
reference_id	2356520
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2356520

reference_url

https://lists.apache.org/thread/8dzlm2vkqphyrnkrby8r8kzndsm5o6x8

reference_id

8dzlm2vkqphyrnkrby8r8kzndsm5o6x8

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-01T14:09:53Z/

url

https://lists.apache.org/thread/8dzlm2vkqphyrnkrby8r8kzndsm5o6x8

reference_url	https://github.com/advisories/GHSA-3w85-5p9g-h334
reference_id	GHSA-3w85-5p9g-h334
reference_type
scores
url	https://github.com/advisories/GHSA-3w85-5p9g-h334

fixed_packages

url pkg:maven/org.apache.activemq/artemis-server@2.40.0

purl pkg:maven/org.apache.activemq/artemis-server@2.40.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ec2r-52qh-myhw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.activemq/artemis-server@2.40.0

aliases CVE-2025-27427, GHSA-3w85-5p9g-h334

risk_score 1.9

exploitability 0.5

weighted_severity 3.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5r98-x93c-3ffh

url VCID-ec2r-52qh-myhw

vulnerability_id VCID-ec2r-52qh-myhw

summary

Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:

- incoming Core protocol connections from untrusted sources to the broker

- outgoing Core protocol connections from the broker to untrusted targets

This issue affects:

- Apache Artemis from 2.50.0 through 2.51.0

- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.

Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.

The issue can be mitigated by one of the following:

- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.

- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.

- Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte) 0xfffffff0. Documentation for interceptors is available at https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html .

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27446.json

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27446.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27446

reference_id

reference_type

scores

value	0.00156
scoring_system	epss
scoring_elements	0.36318
published_at	2026-06-12T12:55:00Z

value	0.00156
scoring_system	epss
scoring_elements	0.36139
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27446

reference_url

https://cert-portal.siemens.com/productcert/html/ssa-085541.html

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://cert-portal.siemens.com/productcert/html/ssa-085541.html

reference_url

https://github.com/apache/artemis

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/artemis

reference_url

http://www.openwall.com/lists/oss-security/2026/03/03/4

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2026/03/03/4

reference_url

http://www.openwall.com/lists/oss-security/2026/03/04/1

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2026/03/04/1

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2444320
reference_id	2444320
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2444320

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27446

reference_id

CVE-2026-27446

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27446

reference_url

https://github.com/advisories/GHSA-fw88-pf9m-p947

reference_id

GHSA-fw88-pf9m-p947

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fw88-pf9m-p947

reference_url

https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg

reference_id

jwpsdc8tdxotm98od8n8n30fqlzoc8gg

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-04T18:54:49Z/

url

https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg

reference_url	https://access.redhat.com/errata/RHSA-2026:17668
reference_id	RHSA-2026:17668
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17668

reference_url	https://access.redhat.com/errata/RHSA-2026:18054
reference_id	RHSA-2026:18054
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:18054

reference_url	https://access.redhat.com/errata/RHSA-2026:18055
reference_id	RHSA-2026:18055
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:18055

reference_url	https://access.redhat.com/errata/RHSA-2026:18059
reference_id	RHSA-2026:18059
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:18059

reference_url	https://access.redhat.com/errata/RHSA-2026:3955
reference_id	RHSA-2026:3955
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3955

reference_url	https://access.redhat.com/errata/RHSA-2026:3957
reference_id	RHSA-2026:3957
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3957

fixed_packages

url	pkg:maven/org.apache.activemq/artemis-server@2.50.0
purl	pkg:maven/org.apache.activemq/artemis-server@2.50.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.activemq/artemis-server@2.50.0

aliases CVE-2026-27446, GHSA-fw88-pf9m-p947

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ec2r-52qh-myhw

Fixing_vulnerabilities

url VCID-a43b-vh82-8fa3

vulnerability_id VCID-a43b-vh82-8fa3

summary HTML Injection in ActiveMQ Artemis Web Console

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-35278.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-35278.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-35278

reference_id

reference_type

scores

value	0.07865
scoring_system	epss
scoring_elements	0.92221
published_at	2026-06-12T12:55:00Z

value	0.07865
scoring_system	epss
scoring_elements	0.92194
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-35278

reference_url

https://lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3n

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3n

reference_url

https://security.netapp.com/advisory/ntap-20221209-0005

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20221209-0005

reference_url	https://security.netapp.com/advisory/ntap-20221209-0005/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20221209-0005/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2109805
reference_id	2109805
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2109805

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-35278

reference_id

CVE-2022-35278

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-35278

reference_url

https://github.com/advisories/GHSA-cv6r-h2fm-pvrp

reference_id

GHSA-cv6r-h2fm-pvrp

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cv6r-h2fm-pvrp

reference_url	https://access.redhat.com/errata/RHSA-2022:6292
reference_id	RHSA-2022:6292
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6292

reference_url	https://access.redhat.com/errata/RHSA-2022:6916
reference_id	RHSA-2022:6916
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6916

fixed_packages

url pkg:maven/org.apache.activemq/artemis-server@2.24.0

purl pkg:maven/org.apache.activemq/artemis-server@2.24.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5r98-x93c-3ffh

vulnerability	VCID-ec2r-52qh-myhw

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.activemq/artemis-server@2.24.0

aliases CVE-2022-35278, GHSA-cv6r-h2fm-pvrp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a43b-vh82-8fa3

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.activemq/artemis-server@2.24.0

Package Instance