CVE-2025-27391: 
Java vulnerability analysis and mitigation

A sensitive information exposure vulnerability (CVE-2025-27391) was discovered in Apache ActiveMQ Artemis versions 1.5.1 before 2.40.0. The vulnerability was disclosed on April 9, 2025, and involves the exposure of broker properties, including sensitive configuration information, when debug-level logging is enabled. The issue specifically occurs in the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger component (Apache Security, NVD).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). It received a CVSS 4.0 Base Score of 6.8 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N. The issue occurs when the debug level is enabled for the ConfigurationImpl logger, causing all broker properties values to be logged, potentially exposing sensitive configuration information (NVD, Rapid7).

The vulnerability allows attackers with access to debug logs to obtain sensitive configuration information, including potential passwords and other security-critical data from the broker properties. This exposure of sensitive information could lead to unauthorized access or system compromise (Rapid7).

Users are strongly recommended to upgrade to Apache ActiveMQ Artemis version 2.40.0, which contains the fix for this vulnerability. As a temporary mitigation, organizations can restrict log access to only trusted users. Additionally, organizations should review and adjust their debug logging configurations to minimize exposure of sensitive information (Openwall, NVD).