org.apache.activemq:activemq-client
Maven17 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.activemq:activemq-clientpage 1 of 1
- CVE-2013-1879NONECVSS 0.0✓ Fixed in 5.9.02013-07-20
vulnerable: 5.8.0
Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a message."
- CVE-2013-3060NONECVSS 0.0✓ Fixed in 5.8.02013-04-21
The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.
- CVE-2014-3576HIGHCVSS 7.5EG 7.5✓ Fixed in 5.11.02015-08-14
vulnerable: 5.10.0 ... 5.9.1 (6 versions)
The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.
- CVE-2014-3600CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.10.12017-10-27
vulnerable: 5.10.0, 5.8.0, 5.9.0, 5.9.1
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
- CVE-2014-8110NONECVSS 0.0✓ Fixed in 5.10.12015-02-12
vulnerable: 5.10.0, 5.8.0, 5.9.0, 5.9.1
Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2015-1830NONECVSS 0.0EG 9.0✓ Fixed in 5.11.22015-08-19
vulnerable: 5.10.0 ... 5.9.1 (8 versions)
Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vecto…
- CVE-2015-5254CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.12.22016-01-08
vulnerable: 5.12.0, 5.12.1
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
- CVE-2015-7559LOWCVSS 2.7EG 2.7✓ Fixed in 5.14.52019-08-01
vulnerable: 5.10.0 ... 5.9.1 (26 versions)
It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected clie…
- CVE-2016-0734MEDIUMCVSS 6.1EG 6.1✓ Fixed in 5.13.22016-04-07
vulnerable: 5.10.0 ... 5.9.1 (17 versions)
The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) F…
- CVE-2016-0782MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.13.22016-08-05
vulnerable: 5.13.0, 5.13.1
The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive informati…
- CVE-2016-3088CRITICALCVSS 9.8EG 9.8⚠ KEV✓ Fixed in 5.14.02016-06-01
vulnerable: 5.10.0 ... 5.9.1 (21 versions)
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
- CVE-2016-6810MEDIUMCVSS 6.1✓ Fixed in 5.14.22018-01-10
vulnerable: 5.10.0 ... 5.9.1 (23 versions)
In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.
- CVE-2018-11775HIGHCVSS 7.4✓ Fixed in 5.15.62018-09-10
vulnerable: 5.10.0 ... 5.9.1 (33 versions)
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now ena…
- CVE-2019-0222HIGHCVSS 7.5✓ Fixed in 5.15.92019-03-28
vulnerable: 5.10.0 ... 5.9.1 (36 versions)
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.
- CVE-2023-46604CRITICALCVSS 10.0EG 10.0⚠ KEV✓ Fixed in 5.18.32023-10-27
vulnerable: 5.18.0, 5.18.1, 5.18.2
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipul…
- CVE-2026-33227MEDIUMCVSS 4.3EG 4.3✓ Fixed in 6.2.22026-04-07
vulnerable: 6.0.0 ... 6.2.1 (13 versions)
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer…
- CVE-2026-39304HIGHCVSS 7.5EG 7.5✓ Fixed in 6.2.42026-04-10
vulnerable: 6.0.0 ... 6.2.3 (15 versions)
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it pos…
Check whether org.apache.activemq:activemq-client is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.activemq:activemq-client CVEs against the assets you own.
Start Free Scan →