Plataforma
java
Componente
org.apache.activemq:activemq-client
Corrigido em
5.19.3
6.2.2
5.19.3
6.2.2
5.19.3
6.2.2
5.19.3
6.2.2
5.19.3
6.2.2
5.19.3
CVE-2026-33227 describes an improper validation and restriction of classpath path names vulnerability affecting Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, and Apache ActiveMQ. This flaw allows an authenticated user to potentially load arbitrary resources by manipulating the "key" value during Stomp consumer creation or browsing messages in the Web console, leading to a classpath resource loading vulnerability. The vulnerability impacts versions up to 5.9.1, and a patch is available in version 5.19.3.
CVE-2026-33227 in Apache ActiveMQ affects several components (Client, Broker, All, Web) due to improper validation of the classpath path. An authenticated user can manipulate the 'key' value to concatenate paths, potentially accessing resources outside the expected class directory. This could allow an attacker to read sensitive files or execute malicious code if executable files are accessible within the classpath. The vulnerability's severity is rated as CVSS 4.3, indicating a moderate risk. Successful exploitation requires authentication, but the potential impact is significant, especially in environments where ActiveMQ is used to transmit sensitive information.
The vulnerability manifests in two scenarios: when creating a Stomp consumer and when browsing messages in the web console. In both cases, an attacker can inject special characters into the 'key' value to construct a malicious classpath path. Path concatenation allows the attacker to access arbitrary files on the file system, provided the ActiveMQ process has the necessary permissions. The complexity of exploitation is relatively low, as it only requires authentication and the ability to manipulate the 'key' value.
Status do Exploit
EPSS
0.05% (percentil 15%)
Vetor CVSS
The recommended solution is to upgrade to version 5.19.3 or later of Apache ActiveMQ. This version corrects the vulnerability by implementing stricter classpath path validation. In the meantime, as a temporary measure, restrict access to the web console and limit the privileges of authenticated users. It's crucial to review the ActiveMQ configuration to ensure that non-standard classpath paths or configurations that could facilitate exploitation are not being used. Monitoring ActiveMQ logs for suspicious patterns can also help detect exploitation attempts.
Atualize para a versão 5.19.4 ou 6.2.3 do Apache ActiveMQ para mitigar a vulnerabilidade. Em ambientes Windows, certifique-se de atualizar para a versão 6.2.3 para corrigir um erro de resolução de separadores de caminho.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Versions prior to 5.19.3 of Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, and Apache ActiveMQ are vulnerable.
It is recommended to update all ActiveMQ components to version 5.19.3 or later to ensure maximum security.
As a temporary measure, restrict access to the web console and limit the privileges of authenticated users. Review the ActiveMQ configuration and monitor the logs.
An attacker could access any file that the ActiveMQ process has access to, including configuration files, API keys, and other sensitive data.
Currently, there are no specific tools to detect the exploitation of this vulnerability. Monitoring ActiveMQ logs for suspicious patterns is the best option.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.