id: CVE-2024-32114

info:
  name: Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control
  author: ChrisJr404
  severity: high
  description: |
    Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication.
  impact: |
    Unauthenticated users can interact with the broker, potentially producing, consuming, or deleting messages and accessing sensitive management APIs.
  remediation: |
    Upgrade to Apache ActiveMQ 6.1.2 or later, or update `conf/jetty.xml` to require authentication on the `/api/` web context.
  reference:
    - https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt
    - https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2024-32114
    - https://github.com/advisories/GHSA-gj5m-m88j-v7c3
    - https://nvd.nist.gov/vuln/detail/CVE-2024-32114
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2024-32114
    cwe-id: CWE-1188
    epss-score: 0.67981
    epss-percentile: 0.98607
  metadata:
    verified: true
    max-request: 2
    vendor: apache
    product: activemq
    shodan-query: http.title:"ActiveMQ"
    fofa-query: title="ActiveMQ"
  tags: cve,cve2024,activemq,apache,jolokia,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/jolokia/search/org.apache.activemq:type=Broker,*"

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "request\":{", "type=Broker", "mbean\":", "org.apache.activemq")'
          - 'contains(content_type, "text/plain")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100bc69bc638637fce82751db8302e688ab62ad365c86718e3cb74e0e331a109cbc02201a87f2b5752e735e324f6bccc6c57899a2abfd0fb2fd9626da593f0f4c759ea3:922c64590222798bb761d5b6d8e72950