CVE-2025-27391

09.04.2025, 15:16

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties arelogged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has thedebug level enabled.

This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users.

Users are recommended to upgrade to version 2.40.0, which fixes the issue.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
apache	CNA	---	---
CISA-ADP	ADP	---	---
CVE	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://lists.apache.org/thread/25p96cvzl1mkt29lwm2d8knklkoqolps

http://www.openwall.com/lists/oss-security/2025/04/09/3