Bug 1404645 (CVE-2016-6810)

Summary:	CVE-2016-6810 activemq: Cross-site scripting in web based administration console
Product:	[Other] Security Response	Reporter:	Adam Mariš <amaris>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	abhgupta, agrimm, aileenc, ccoleman, chazlett, dedgar, dmcphers, gvarsami, java-sig-commits, jcoleman, jgoulding, jialiu, joelsmith, jokerman, ldimaggi, lmeyer, mmccomas, nwallace, puntogil, rwagner, soa-p-jira, s, tcunning, tdawson, tiwillia, tkirby
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	activemq 5.14.2	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-10-21 11:49:22 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1404646, 1404647
Bug Blocks:	1404648

Description Adam Mariš 2016-12-14 10:47:02 UTC

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.

Affected versions: ActiveMQ 5.0.0 - 5.14.1

External Reference:

http://activemq.apache.org/security-advisories.data/CVE-2016-6810-announcement.txt

Comment 2 Adam Mariš 2016-12-14 10:48:00 UTC

Created activemq tracking bugs for this issue:

Affects: fedora-all [bug 1404647]

Comment 4 Hooman Broujerdi 2017-11-01 04:24:23 UTC

Mitigation: Users are advised to use hawtio as an alternative to the old management console.