CVE-2010-1244 in ActiveMQ
Summary
by MITRE
Cross-site request forgery (CSRF) vulnerability in createDestination.action in Apache ActiveMQ before 5.3.1 allows remote attackers to hijack the authentication of unspecified victims for requests that create queues via the JMSDestination parameter in a queue action.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2026
The CVE-2010-1244 vulnerability represents a critical cross-site request forgery flaw in Apache ActiveMQ versions prior to 5.3.1, specifically affecting the createDestination.action endpoint. This vulnerability resides within the web administration interface of the messaging broker system, where the application fails to properly validate and authenticate requests originating from external sources. The flaw enables malicious actors to craft specially crafted HTTP requests that can be executed by unsuspecting administrators or users who are authenticated to the ActiveMQ management console. The vulnerability specifically targets the queue creation functionality through the JMSDestination parameter, allowing unauthorized parties to establish new queue destinations within the messaging infrastructure without proper authorization.
The technical implementation of this CSRF vulnerability stems from the absence of proper request validation mechanisms within the ActiveMQ web interface. When a user accesses the createDestination.action endpoint with a queue action, the system should verify that the request originates from an authenticated and authorized user session. However, the vulnerable implementation fails to incorporate anti-CSRF tokens or session validation checks that would prevent unauthorized requests from being processed. This oversight creates a condition where an attacker can construct a malicious request containing the JMSDestination parameter and submit it to the target system, potentially causing the creation of unauthorized queues that could be exploited for further attacks or data exfiltration.
The operational impact of this vulnerability extends beyond simple unauthorized queue creation, as it fundamentally compromises the security posture of the entire ActiveMQ deployment. Attackers could leverage this vulnerability to create persistent queues that could serve as staging points for more sophisticated attacks, potentially leading to message interception, data manipulation, or even system compromise. The vulnerability affects the integrity of the messaging infrastructure by allowing unauthorized modifications to the queue structure, which could disrupt legitimate message flow or enable attackers to establish backdoors within the messaging system. Additionally, the creation of unauthorized queues may provide attackers with additional attack surface for privilege escalation or lateral movement within networks that rely on ActiveMQ for communication.
Organizations utilizing affected versions of Apache ActiveMQ should immediately implement mitigations including upgrading to version 5.3.1 or later, which contains the necessary fixes for this CSRF vulnerability. The patch addresses the root cause by implementing proper session validation and anti-CSRF token mechanisms within the web administration interface. Security teams should also consider implementing additional network-level protections such as web application firewalls that can detect and block suspicious requests targeting the createDestination.action endpoint. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses, and represents a classic example of how insufficient input validation and authentication checks can create security vulnerabilities in web applications. From an ATT&CK framework perspective, this vulnerability maps to T1566 (Phishing) and T1071.004 (Application Layer Protocol: DNS) as attackers may use phishing techniques to trick administrators into executing malicious requests, potentially leading to persistence and privilege escalation within the messaging infrastructure.