This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 122d03f19 Automatic Site Publish by Buildbot
122d03f19 is described below
commit 122d03f19389c332f38961eda42dc70edb6aea09
Author: buildbot <[email protected]>
AuthorDate: Mon Apr 6 13:25:26 2026 +0000
Automatic Site Publish by Buildbot
---
output/components/classic/security.html | 2 ++
.../CVE-2026-33227-announcement.txt | 29 +++++++++++++++++++++
.../CVE-2026-34197-announcement.txt | 30 ++++++++++++++++++++++
3 files changed, 61 insertions(+)
diff --git a/output/components/classic/security.html
b/output/components/classic/security.html
index bdfb5dbc2..88a0d596a 100644
--- a/output/components/classic/security.html
+++ b/output/components/classic/security.html
@@ -97,6 +97,8 @@
<p>See the main <a href="../../security-advisories">Security Advisories</a>
page for details for other components and general information such as reporting
new security issues.</p>
<ul>
+ <li><a
href="../../security-advisories.data/CVE-2026-34197-announcement.txt">CVE-2026-34197</a>
- Authenticated users could perform RCE via Jolokia MBeans</li>
+ <li><a
href="../../security-advisories.data/CVE-2026-33227-announcement.txt">CVE-2026-33227</a>
- Improper Limitation of a Pathname to a Restricted Classpath Directory</li>
<li><a
href="../../security-advisories.data/CVE-2025-66168-announcement.txt">CVE-2025-66168</a>
- MQTT control packet remaining length field is not properly validated</li>
<li><a
href="../../security-advisories.data/CVE-2025-54539-announcement.txt">CVE-2025-54539</a>
- Deserialization of Untrusted Data</li>
<li><a
href="../../security-advisories.data/CVE-2025-29953-announcement.txt">CVE-2025-29953</a>
- Deserialization allowlist bypass</li>
diff --git a/output/security-advisories.data/CVE-2026-33227-announcement.txt
b/output/security-advisories.data/CVE-2026-33227-announcement.txt
new file mode 100644
index 000000000..13ad83c54
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-33227-announcement.txt
@@ -0,0 +1,29 @@
+Severity: low
+
+Affected versions:
+
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.3
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before
6.2.2
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.3
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.2
+- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.3
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.2
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.3
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.2
+
+Description:
+
+Improper validation and restriction of a classpath path name vulnerability in
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All.
+
+In two instances (when creating a Stomp consumer and also browsing messages in
the Web console) an authenticated user provided "key" value could be
constructed to traverse the classpath due to path concatenation. As a result,
the application is exposed to a classpath path resource loading vulnerability
that could potentially be chained together with another attack to lead to
exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0
before 6.2.2; Apache ActiveMQ Broker: [...]
+
+Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the
issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to
non-Windows environments due to a path separator resolution bug fixed in 5.19.4
and 6.2.3.
+
+Credit:
+
+Dawei Wang (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-33227
diff --git a/output/security-advisories.data/CVE-2026-34197-announcement.txt
b/output/security-advisories.data/CVE-2026-34197-announcement.txt
new file mode 100644
index 000000000..271e7494d
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-34197-announcement.txt
@@ -0,0 +1,30 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.3
+- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.
+
+Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/
on the web console. The default Jolokia access policy permits exec operations
on all ActiveMQ MBeans (org.apache.activemq:*), including
+BrokerService.addNetworkConnector(String) and
BrokerService.addConnector(String).
+
+An authenticated attacker can invoke these operations with a crafted discovery
URI that triggers the VM transport's brokerConfig parameter to load a remote
Spring XML application context using ResourceXmlApplicationContext.
+Because Spring's ResourceXmlApplicationContext instantiates all singleton
beans before the BrokerService validates the configuration, arbitrary code
execution occurs on the broker's JVM through bean factory methods such as
Runtime.exec().
+This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before
6.2.3; Apache ActiveMQ: .
+
+Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the
issue.
+
+Credit:
+
+Naveen Sunkavally (Horizon3.ai) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-34197
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
