Impact
An authenticated attacker with broker credentials can use the Jolokia JMX‑HTTP bridge exposed at /api/jolokia/ to execute arbitrary code on an ActiveMQ broker. The vulnerable interface allows exec operations on all ActiveMQ MBeans, including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). By providing a crafted discovery URI, the attacker forces the VM transport’s brokerConfig parameter to load a remote Spring XML application context with ResourceXmlApplicationContext, causing all singleton beans to be instantiated before broker configuration is validated. This leads to code injection via native methods such as Runtime.exec(), resulting in arbitrary code execution within the broker’s JVM. The flaw is classified as Improper Input Validation (CWE‑20), Improper Control of Generation of Code (CWE‑94), and System Interface Use with Untrusted Input (CWE‑78).
Affected Systems
The vulnerability affects Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ Broker. Versions before 5.19.4 and all releases from 6.0.0 up to but not including 6.2.3 are impacted. These products expose the Jolokia interface by default, enabling the exploitation path outlined above.
Risk and Exploitability
The CVSS score of 8.8 indicates a high severity risk, and the EPSS score of 96% reflects a very high likelihood of exploitation in the wild. Additionally the vulnerability is listed in the CISA KEV catalog, confirming active exploitation. An attacker must gain authenticated access and send a crafted request to the /api/jolokia/ endpoint; once done, arbitrary code runs with the privileges of the broker process.
OpenCVE Enrichment
Github GHSA