Advisories for Maven/Org.apache.activemq/Artemis-Server package

2025

Apache ActiveMQ Artemis User Without Create Address Permissions can Modify Address Routing-Type

A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. When combined with the send permission and automatic queue creation a user could successfully send a message with a routing-type not supported by the address when that message should actually …

2023

False positive

This advisory has been marked as a false positive.

False positive

This advisory has been marked as a false positive.

2022

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.

2021

Cross-site Scripting

This advisory has been marked as a false positive.

Improper Authentication

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis and Apache ActiveMQ, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.