#VU89096 Missing authorization in ActiveMQ - CVE-2024-32114

Cybersecurity Help s.r.o.

Published: 2024-05-01

Vulnerability identifier: #VU89096

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-32114

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ActiveMQ
Server applications / Mail servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to missing authorization in the application's REST API. A remote attacker can interact with the broker using Jolokia JMX REST API and produce/consume messages or purge/delete destinations using the Message REST API.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ActiveMQ: 6.0.0 - 6.0.1, 6.1.0 - 6.1.1

External links
https://activemq.apache.org/security-advisories.data/CVE-2024-32114
https://issues.apache.org/jira/browse/AMQ-9477

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Banking APIs

Multiple vulnerabilities in Oracle Banking Digital Experience

Multiple vulnerabilities in Oracle Financial Services Analytical Applications Infrastructure

Missing authorization in Apache ActiveMQ