Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-7252

SEV2 Vulnerabilities: Apache ActiveMQ Server libraries: commons-net-3.6.jar and velocity-1.7.jar

    XMLWordPrintableJSON

Details

    • Important

    Description

      SEV2 Vulnerabilities: Apache ActiveMQ Server libraries: commons-net-3.6.jar and velocity-1.7.jar

       

      commons-net-3.6.jar

      • Apache Commons Net contains a flaw in the changeWorkingDirectory() function in ftpClient.java that is triggered as user-supplied input is not properly sanitized. This may allow a remote attacker to use a newline character in a specially crafted string to execute arbitrary commands.

       

      velocity-1.7.jar

      • Apache Commons FileUpload contains flaw that is due to ParametersInterceptor allowing access to the 'class' parameter. This may allow a remote attacker to manipulate the ClassLoader and execute arbitrary Java code.

       

      • Apache Commons Collections contains a flaw in the InvokerTransformer class. This issue is triggered when handling Java code, which may invoke unsafe deserialize calls. This may allow a remote attacker to execute arbitrary code.

       

      • Apache Velocity contains a flaw that allows traversing outside of a restricted path. The issue is due to VelocityLayoutServlet not properly sanitizing user input, specifically path traversal style attacks (e.g. '../') supplied via the 'layout' parameter. With a specially crafted request, a remote attacker can gain access to potentially sensitive information.

      Attachments

        Issue Links

          Activity

            People

              jbonofre Jean-Baptiste Onofré
              vipink Vipin
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m