What is CVE-2020-11998?

CVE-2020-11998 is a vulnerability in Apache Activemq. Published 2020-09-10.

Is CVE-2020-11998 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Activemq

CVE-2020-11998

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following att…

EPSS: 0.512 (98.8th percentile) — read the EPSS interpretation.

Affected products

N/a Apache Activemq — versions Apache Tomcat 5.15.12

Public proof-of-concept exploits

References

activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt (x_refsource_MISC)
www.oracle.com/security-alerts/cpujan2021.html (x_refsource_MISC)
[activemq-commits] 20210127 [activemq-website] branch master updated: Publish CVE-2021-26117 (mailing-list, x_refsource_MLIST)
[activemq-commits] 20210208 [activemq-website] branch master updated: Publish CVE-2020-13947 (mailing-list, x_refsource_MLIST)
www.oracle.com/security-alerts/cpuApr2021.html (x_refsource_MISC)
www.oracle.com//security-alerts/cpujul2021.html (x_refsource_MISC)
www.oracle.com/security-alerts/cpuoct2021.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-11998?: CVE-2020-11998 is a vulnerability in Apache Activemq. Published 2020-09-10.
Is CVE-2020-11998 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.