[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7bce2dc1-7971-de8c-67b8-d61c72336ae3@apache.org>
Date: Wed, 09 Apr 2025 14:34:10 +0000
From: Domenico Francesco Bruscino <brusdev@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-27391: Apache ActiveMQ Artemis: Passwords leaking from
broker properties in the debug log
Affected versions:
- Apache ActiveMQ Artemis 1.5.1 before 2.40.0
Description:
Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled.
This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users.
Users are recommended to upgrade to version 2.40.0, which fixes the issue.
Credit:
Rafael Yanez Illescas <ryanezil@...hat.com> (finder)
References:
https://activemq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-27391
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
