-
Type:
Bug
-
Status: Closed
-
Priority:
Blocker
-
Resolution: Invalid
-
Affects Version/s: 5.15.4
-
Fix Version/s: None
-
Component/s: Web Console
-
Labels:None
ActiveMQ 5.15.4 activeio-core-3.1.4.jar which has three high severity CVEs against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.
CVE-2015-5183 suppress
Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C
/I/A)
CWE: CWE-254 Security Features
The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies.
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1249182
Vulnerable Software & Versions:
cpe:/a:apache:activemq:-
CVE-2015-5184 Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
CWE: CWE-254 Security Features
The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact.
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1249183
Vulnerable Software & Versions:
cpe:/a:apache:activemq:-
CVE-2016-3088 Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
CWE: CWE-20 Improper Input Validation
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP
MOVE request.
CONFIRM - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
EXPLOIT-DB - 42283
MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-356
MISC - http://www.zerodayinitiative.com/advisories/ZDI-16-357
REDHAT - RHSA-2016:2036
SECTRACK - 1035951
Vulnerable Software & Versions:
cpe:/a:apache:activemq:5.13.3 and all previous versions