CVE-2025-27391 – org.apache.activemq:artemis-project

Package

Manager: maven
Name: org.apache.activemq:artemis-project
Vulnerable Version: >=1.5.1 <2.40.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00043 pctl0.12449

Details

Apache ActiveMQ Artemis Vulnerable to Insertion of Sensitive Information into Log File Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users. Users are recommended to upgrade to version 2.40.0, which fixes the issue.

Metadata

Created: 2025-04-09T15:32:23Z
Modified: 2025-07-15T00:27:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-pm4j-p7pm-fpvx/GHSA-pm4j-p7pm-fpvx.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-pm4j-p7pm-fpvx
Finding: F091
Auto approve: 1