Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Activemq
(Apache)| Repositories | https://github.com/apache/activemq |
| #Vulnerabilities | 36 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-05-14 | CVE-2020-1941 | In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. | Activemq, Communications_diameter_signaling_router, Communications_element_manager, Communications_session_report_manager, Communications_session_route_manager, Enterprise_repository, Flexcube_private_banking | 6.1 | ||
| 2020-09-10 | CVE-2020-11998 | A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other... | Activemq, Communications_diameter_signaling_router, Communications_element_manager, Communications_session_report_manager, Communications_session_route_manager, Enterprise_repository, Flexcube_private_banking | 9.8 | ||
| 2020-11-16 | CVE-2020-26217 | XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14. | Activemq, Debian_linux, Snapmanager, Banking_cash_management, Banking_corporate_lending_process_management, Banking_credit_facilities_process_management, Banking_platform, Banking_supply_chain_finance, Banking_trade_finance_process_management, Banking_virtual_account_management, Business_activity_monitoring, Communications_policy_management, Endeca_information_discovery_studio, Retail_xstore_point_of_service, Xstream | 8.8 | ||
| 2021-02-08 | CVE-2020-13947 | An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0. | Activemq, Communications_session_report_manager, Communications_session_route_manager | 6.1 | ||
| 2015-02-12 | CVE-2014-8110 | Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | Activemq | N/A | ||
| 2015-08-19 | CVE-2015-1830 | Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors. | Activemq | N/A | ||
| 2015-08-24 | CVE-2014-3612 | The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames. | Activemq | N/A | ||
| 2015-08-24 | CVE-2015-6524 | The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types. | Activemq, Fedora | N/A | ||
| 2013-04-21 | CVE-2013-3060 | The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests. | Activemq | N/A | ||
| 2014-02-05 | CVE-2013-1880 | Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the refresh parameter to demo/portfolioPublish, a different vulnerability than CVE-2012-6092. | Activemq | N/A |