Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-6993

ActiveMQ 5.15.4 activeio-core-3.1.4.jar which has three high severity CVEs against it.

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Invalid
    • Affects Version/s: 5.15.4
    • Fix Version/s: None
    • Component/s: Web Console
    • Labels:
      None
    • Environment:

      Description

      ActiveMQ 5.15.4 activeio-core-3.1.4.jar  which has three high severity CVEs against it.
      Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.

      CVE-2015-5183 suppress
      Severity:High
      CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
      CWE: CWE-254 Security Features
      The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies.
      CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1249182
      Vulnerable Software & Versions:
      cpe:/a:apache:activemq:-

      CVE-2015-5184 Severity:High
      CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
      CWE: CWE-254 Security Features
      The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact.
      CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1249183
      Vulnerable Software & Versions:
      cpe:/a:apache:activemq:-

      CVE-2016-3088 Severity:High
      CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
      CWE: CWE-20 Improper Input Validation
      The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP
      MOVE request.
      CONFIRM - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
      EXPLOIT-DB - 42283
      MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356
      MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357
      REDHAT - RHSA-2016:2036
      SECTRACK - 1035951
      Vulnerable Software & Versions:
      cpe:/a:apache:activemq:5.13.3 and all previous versions

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ABakerIII Albert Baker

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment