/Vulnerability Library

Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control

CVE-2024-32114
Verified

Description

Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication.

Severity

High

CVSS Score

8.8

Exploit Probability

7%

Affected Product

activemq

Published Date

May 2, 2026

Template Author

chrisjr404

CVE-2024-32114.yaml
id: CVE-2024-32114

info:
  name: Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control
  author: ChrisJr404
  severity: high
  description: |
    Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication.
  impact: |
    Unauthenticated users can interact with the broker, potentially producing, consuming, or deleting messages and accessing sensitive management APIs.
  remediation: |
    Upgrade to Apache ActiveMQ 6.1.2 or later, or update `conf/jetty.xml` to require authentication on the `/api/` web context.
  reference:
    - https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt
    - https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2024-32114
    - https://github.com/advisories/GHSA-gj5m-m88j-v7c3
    - https://nvd.nist.gov/vuln/detail/CVE-2024-32114
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2024-32114
    cwe-id: CWE-1188
    epss-score: 0.0692
    epss-percentile: 0.93331
  metadata:
    verified: true
    max-request: 2
    vendor: apache
    product: activemq
    shodan-query: http.title:"ActiveMQ"
    fofa-query: title="ActiveMQ"
  tags: cve,cve2024,activemq,apache,jolokia,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/jolokia/search/org.apache.activemq:type=Broker,*"

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "request\":{", "type=Broker", "mbean\":", "org.apache.activemq")'
          - 'contains(content_type, "text/plain")'
          - 'status_code == 200'
        condition: and
# digest: 490a00463044022079e42479496bff0912fb279c900df58cfbee7462dc7010da950fab54ae48202402202494676c082d05949f3ff311f2cf9431a346a4945af2bdfa2dcf249bbe0f711f:922c64590222798bb761d5b6d8e72950
8.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID:
cve-2024-32114
CWE ID:
cwe-1188

References

https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txthttps://github.com/vulhub/vulhub/tree/master/activemq/CVE-2024-32114https://github.com/advisories/GHSA-gj5m-m88j-v7c3https://nvd.nist.gov/vuln/detail/CVE-2024-32114

Remediation Steps

Upgrade to Apache ActiveMQ 6.1.2 or later, or update `conf/jetty.xml` to require authentication on the `/api/` web context.