Description
Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users. Users are recommended to upgrade to version 2.40.0, which fixes the issue.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/04/09/3
Issue Tracking, Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/25p96cvzl1mkt29lwm2d8knklkoqolps
Scores
CVSS v3
6.5
EPSS
0.0034
EPSS Percentile
25.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (3)
apache/activemq_artemis
1.5.1 - 2.40.0
apache/artemis
1.5.1 - 2.40.0
org.apache.activemq/artemis-project
1.5.1 - 2.40.0Maven
Published
Apr 09, 2025
Tracked Since
Feb 18, 2026