Hi, The fix is actually in activemq-client (which the broker uses too), so I suspect that is the artifact that is tagged. Have a look at https://central.sonatype.com/artifact/org.apache.activemq/activemq-client/versions and see if that helps.
Jon On Mon, Nov 13, 2023 at 3:11 PM Wim van Ravesteijn <raveste...@olisa.eu> wrote: > Hello, > > Over 2 weeks ago CVE-2023-46604 with a critical vulnerability was > published, but I wonder if this was done in the proper way. When looking > at Maven central, all versions are marked with 0 vulnerabilities, which > is not correct: > > > https://central.sonatype.com/artifact/org.apache.activemq/activemq-broker/versions > > I suppose this is also the reason dependency-check does not see any > issues with the old ActiveMQ version. That means when people are not > reading all CVE's or subscribed to this mailing list, they are still > unaware of this critical vulnerability. > > Shouldn't this be fixed, so more people become aware they are running > vulnerable software? > > Cheers, > > Wim >
