[AMQ-6995] ActiveMQ 5.15.4 activemq-ra-5.15.4.jar which has two high severity CVEs against it. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Invalid
Affects Version/s: 5.15.4
Fix Version/s: None
Component/s: Web Console
Labels:
None
Environment:

Hide

Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.

Show
Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.

Description

CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
CWE: CWE-254 Security Features
The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies.
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1249182
Vulnerable Software & Versions:
cpe:/a:apache:activemq:-

CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
CWE: CWE-254 Security Features
The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact.
CONFIRM - https://bugzilla.redhat.c

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Albert Baker

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 15/Jun/18 15:15

Updated:: 28/Jul/18 02:34

Resolved:: 24/Jul/18 10:35