CVE-2022-35278: Apache ActiveMQ Artemis HTML Injection Vulnerability

Apache ActiveMQ Artemis released the latest security bulletin on August 18, which contains an HTML injection vulnerability (CVE-2022-35278). The security researcher Yash Pandya Rajatkumar, Karmarkar, and Likhith Cheekatipalle from Digital14 have been credited with reporting this flaw.

Apache ActiveMQ Artemis is an open source project to build a multi-protocol, embeddable, very high performance, clustered, asynchronous messaging system. Apache ActiveMQ Artemis is an example of Message Oriented Middleware (MoM).

“An attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue,” read the security bulletin.

HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

CVE-2022-35278 flaw affects Apache ActiveMQ Artemis version prior to 2.24.0. In this regard, we recommend that users upgrade Apache ActiveMQ Artemis to the latest version (2.24.0) as soon as possible.