Affects Version/s: 5.15.14
Fix Version/s: None
Please have a look at this vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2020-26217
This is reported on XStream before version 1.4.14.
I checked your latest release - apache-activemq-5.16.0 still have the vulnerable XStream jar.
We use ActiveMq in our product and it has been reported as a security vulnerability.
- Can you confirm if ActiveMq is vulnerable to this CVE?
- If no, then can you confirm which ActiveMq version is safe to use?
- If yes, then we need an upgraded ActiveMq jar with this fix. Need to know the expected timeline.
Need an urgent response, if possible.
Thanks and regards,