CVE-2022-41678
Improper Authentication in Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution
Executive Summary
CVE-2022-41678 is a high severity vulnerability affecting api-security. It is classified as Improper Authentication. Ensure your systems and dependencies are patched immediately to mitigate exposure risks.
Precogs AI Insight
"Jolokia contains a vulnerability allowing authenticated users to trigger arbitrary JNDI lookups. Attackers exploit this insecure deserialization to load malicious Java classes from an attacker-controlled server, resulting in RCE. Precogs Application Security Module identifies unsafe object deserialization mechanisms."
What is this vulnerability?
CVE-2022-41678 is categorized as a high Improper Authentication flaw with a CVSS base score of 8.8. Based on our vulnerability intelligence, this issue occurs when the application fails to securely handle untrusted data boundaries.
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.
In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia
org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest.
Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.
1 Call newRecording.
2 Call setConfiguration. And a webshell data hides in it.
3 Call startRecording.
4 Call copyTo method. The webshell will be written to a .jsp file.
The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
This architectural defect enables adversaries to bypass intended security controls, directly manipulating the application's execution state or data layer. Immediate strategic intervention is required.
Risk Assessment
| Metric | Value |
|---|---|
| CVSS Base Score | 8.8 (HIGH) |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Published | November 28, 2023 |
| Last Modified | November 3, 2025 |
| Related CWEs | CWE-287 |
Impact on Systems
✅ Unauthorized Data Access: Attackers can bypass authorization controls to access other users' data or administrative endpoints.
✅ Account Takeover: Broken authentication or authorization may enable full account compromise without valid credentials.
✅ API Abuse: Exploiting this vulnerability enables mass data harvesting or destructive operations through unprotected API endpoints.
How to Fix and Mitigate CVE-2022-41678
- Apply Vendor Patches: Upgrade affected components to their latest, non-vulnerable versions immediately.
- Implement Input Validation: Ensure all user-supplied data is validated, sanitized, and type-checked before processing.
- Deploy Runtime Protection: Use Precogs continuous monitoring to detect exploitation attempts in real time.
- Audit Dependencies: Review and update all third-party libraries and transitive dependencies.
Defending with Precogs AI
Jolokia contains a vulnerability allowing authenticated users to trigger arbitrary JNDI lookups. Attackers exploit this insecure deserialization to load malicious Java classes from an attacker-controlled server, resulting in RCE. Precogs Application Security Module identifies unsafe object deserialization mechanisms.
Use Precogs to continuously scan your codebase, binaries, APIs, and infrastructure for this vulnerability class and related attack patterns. Our AI-powered detection engine combines static analysis with threat intelligence to identify exploitable weaknesses before attackers do.
Vulnerability Code Signature
Attack Data Flow
| Stage | Detail |
|---|---|
| Source | Authentication endpoint |
| Vector | Flawed logic allows bypassing authentication checks |
| Sink | Access to protected resources |
| Impact | Account takeover, unauthorized access |
Vulnerable Code Pattern
// ❌ VULNERABLE: Improper Authentication
app.post('/login', (req, res) => {
const { username, password } = req.body;
// Taint sink: weak or bypassable validation
if (username === 'admin' || password === 'secret') {
req.session.authenticated = true;
res.send('Logged in');
}
});
Secure Code Pattern
// ✅ SECURE: Robust Authentication
const bcrypt = require('bcrypt');
app.post('/login', async (req, res) => {
const { username, password } = req.body;
const user = await db.getUser(username);
// Sanitized validation: secure password comparison
if (user && await bcrypt.compare(password, user.passwordHash)) {
req.session.authenticated = true;
res.send('Logged in');
} else {
res.status(401).send('Invalid credentials');
}
});
How Precogs Detects This
Precogs API Security Engine comprehensively audits endpoints to ensure strict authentication boundaries and secure logic.\n