Red Hat Amq Broker
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Amq Broker.
Recent Red Hat Amq Broker Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2025:17567 | (RHSA-2025:17567) Important: Red Hat AMQ Broker 7.13.2 release and security update | October 8, 2025 |
| RHSA-2025:17562 | (RHSA-2025:17562) Moderate: AMQ Broker 7.13.2.OPR.1.GA Container Images release and security update | October 8, 2025 |
| RHSA-2025:16409 | (RHSA-2025:16409) Important: Red Hat AMQ Broker 7.12.5 release and security update | September 22, 2025 |
| RHSA-2025:13274 | (RHSA-2025:13274) Important: Red Hat AMQ Broker 7.13.1 release and security update | August 6, 2025 |
| RHSA-2025:12473 | (RHSA-2025:12473) Moderate: Red Hat AMQ Broker 7.12.5 release and security update | July 31, 2025 |
| RHSA-2025:12355 | (RHSA-2025:12355) Moderate: AMQ Broker 7.12.5.OPR.1.GA Container Images release and security update | July 31, 2025 |
| RHSA-2025:8147 | (RHSA-2025:8147) Moderate: AMQ Broker 7.13.0.OPR.1.GA Container Images security update | May 26, 2025 |
| RHSA-2025:7625 | (RHSA-2025:7625) Moderate: Red Hat AMQ Broker 7.13.0 release and security update | May 14, 2025 |
| RHSA-2024:6893 | (RHSA-2024:6893) Moderate: Red Hat AMQ Broker 7.12.0 release and security update | September 19, 2024 |
| RHSA-2024:3762 | (RHSA-2024:3762) Important: Red Hat AMQ Broker 7.11.7 release and security update | June 10, 2024 |
By the Year
In 2026 there have been 1 vulnerability in Red Hat Amq Broker with an average score of 8.3 out of ten. Last year, in 2025 Amq Broker had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Amq Broker in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 2.95.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 8.30 |
| 2025 | 2 | 5.35 |
| 2024 | 5 | 6.68 |
| 2023 | 2 | 5.50 |
| 2022 | 3 | 6.13 |
It may take a day or so for new Amq Broker vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Amq Broker Security Vulnerabilities
Hibernate Second-Order SQLi via InlineIdsOrClauseBuilder
CVE-2026-0603
8.3 - High
- January 23, 2026
A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.
SQL Injection
AMQ Broker Container Priv Esc via /etc/passwd Group-Writable
CVE-2025-58712
5.2 - Medium
- October 22, 2025
A container privilege escalation flaw was found in certain AMQ Broker images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Incorrect Default Permissions
ActiveMQ Artemis: Operator Password Persistence Across CR Dependencies
CVE-2025-4057
5.5 - Medium
- May 26, 2025
A flaw was found in ActiveMQ Artemis. The password generated by activemq-artemis-operator does not regenerate between separated CR dependencies.
1391
Keycloak XSS via Malicious ACS URLs (CVE-2023-6717)
CVE-2023-6717
6 - Medium
- April 25, 2024
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
XSS
Keycloak Redirect URI Validation Bypass via Wildcard URIs
CVE-2024-1132
8.1 - High
- April 17, 2024
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
Directory traversal
Keycloak OIDC checkLoginIframe DoS via unvalidated cross-origin messages
CVE-2024-1249
7.4 - High
- April 17, 2024
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Origin Validation Error
Memory Leak in Eclipse Vert.x TCP TLS Server via Fake SNI
CVE-2024-1300
5.4 - Medium
- April 02, 2024
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Memory Leak
Vert.x HTTP Client Memory Leak via Netty FastThreadLocal
CVE-2024-1023
6.5 - Medium
- March 27, 2024
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
Memory Leak
Red Hat AMQ Broker Exposes Passwords in StatefulSet YAML (CVE20234066)
CVE-2023-4066
5.5 - Medium
- September 27, 2023
A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker.
Cleartext Storage in a File or on Disk
AuthN Local Attacker Exposes Plain-Text Password In Log of RedHat AMQ Broker Operator
CVE-2023-4065
5.5 - Medium
- September 27, 2023
A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.
Improper Output Neutralization for Logs
AMQ Broker OOM Exploit Enables Partial DoS
CVE-2021-4040
5.3 - Medium
- August 24, 2022
A flaw was found in AMQ Broker. This issue can cause a partial interruption to the availability of AMQ Broker via an Out of memory (OOM) condition. This flaw allows an attacker to partially disrupt availability to the broker through a sustained attack of maliciously crafted messages. The highest threat from this vulnerability is system availability.
Memory Corruption
Confidentiality Disclosure in Red Hat AMQ 7.8 Management Console
CVE-2021-3763
4.3 - Medium
- August 23, 2022
A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity.
AuthZ
A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user
CVE-2022-1833
8.8 - High
- June 21, 2022
A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack.
Incorrect Default Permissions
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Amq Broker or by Red Hat? Click the Watch button to subscribe.
