CVE-2023-50780

HIGH

Apache Activemq Artemis < 2.29.0 - Improper Authorization

Title source: rule

Description

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE. Users are recommended to upgrade to version 2.29.0 or later, which fixes the issue.

Exploits (1)

nomisec WRITEUP
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2023-50780

References (2)

Scores

CVSS v3 8.8
EPSS 0.0271
EPSS Percentile 85.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-285
Status published

Affected Products (2)

apache/activemq_artemis < 2.29.0
org.apache.activemq/artemis-cli < 2.29.0Maven

Timeline

Published Oct 14, 2024
Tracked Since Feb 18, 2026