{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T19:47:20.111","vulnerabilities":[{"cve":{"id":"CVE-2022-41678","sourceIdentifier":"security@apache.org","published":"2023-11-28T16:15:06.840","lastModified":"2025-11-03T22:16:00.520","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. \n\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\n\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\n\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest can be invoked\nthrough refection. This could lead to RCE through via\nvarious mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\n\n1 Call newRecording.\n\n2 Call setConfiguration. And a webshell data hides in it.\n\n3 Call startRecording.\n\n4 Call copyTo method. The webshell will be written to a .jsp file.\n\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n"},{"lang":"es","value":"Una vez que un usuario se autentica en Jolokia, potencialmente puede desencadenar la ejecución de código arbitrario. En detalles, en las configuraciones de ActiveMQ, jetty permite que org.jolokia.http.AgentServlet maneje la solicitud a /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest puede crear JmxRequest a través de JSONObject. Y llamadas a org.jolokia.http.HttpRequestHandler#executeRequest. En pilas de llamadas más profundas, org.jolokia.handler.ExecHandler#doHandleRequest puede invocar mediante reflexión. Y luego, RCE se puede lograr a través de jdk.management.jfr.FlightRecorderMXBeanImpl que existe en la versión de Java superior a 11. 1 Call newRecording. 2 Call setConfiguration. Y en él se esconden datos de un webshell. 3 Call startRecording. 4 Call copyTo method. El webshell se escribirá en un archivo .jsp. La mitigación es restringir (de forma predeterminada) las acciones autorizadas en Jolokia o desactivar Jolokia. Se ha definido una configuración de Jolokia más restrictiva en la distribución predeterminada de ActiveMQ. Alentamos a los usuarios a actualizar a la versión de distribuciones ActiveMQ, incluida la configuración actualizada de Jolokia: 5.16.6, 5.17.4, 5.18.0, 6.0.0."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-287"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionEndExcluding":"5.16.6","matchCriteriaId":"2CD766F1-F0C9-4CFE-85F5-308248C6E44C"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17.0","versionEndExcluding":"5.17.4","matchCriteriaId":"B0D4F2D0-6707-47EA-BE24-D1B273EF5122"}]}]}],"references":[{"url":"https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt","source":"security@apache.org","tags":["Vendor Advisory"]},{"url":"https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"https://security.netapp.com/advisory/ntap-20240216-0004/","source":"security@apache.org"},{"url":"https://www.openwall.com/lists/oss-security/2023/11/28/1","source":"security@apache.org"},{"url":"https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]},{"url":"https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Vendor Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://security.netapp.com/advisory/ntap-20240216-0004/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://www.openwall.com/lists/oss-security/2023/11/28/1","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}