Skip to content

[GHSA-rxpj-7qvf-xv32] Improper Input Validation, Improper Control of Generation... #7330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
filipecamargos wants to merge 1 commit into
base: filipecamargos/advisory-improvement-7330
Choose a base branch
from
+20 −2
Open

[GHSA-rxpj-7qvf-xv32] Improper Input Validation, Improper Control of Generation... #7330

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions advisories/unreviewed/2026/04/GHSA-rxpj-7qvf-xv32/GHSA-rxpj-7qvf-xv32.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,37 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rxpj-7qvf-xv32",
"modified": "2026-04-08T09:31:29Z",
"modified": "2026-04-07T15:30:49Z",
"published": "2026-04-07T09:31:22Z",
"aliases": [
"CVE-2026-34197"
],
"summary": "Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans",
"details": "Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.\n\nApache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including\nBrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). \n\nAn authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. \nBecause Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().\nThis issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: .\n\nUsers are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [],
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.activemq:activemq-broker"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
Expand Down
Loading