Bug 1317516 (CVE-2016-0782) - CVE-2016-0782 activemq: Cross-site scripting vulnerabilities in web console
Summary: CVE-2016-0782 activemq: Cross-site scripting vulnerabilities in web console
Keywords:
Status: NEW
Alias: CVE-2016-0782
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1317521 1317522
Blocks: 1317528 1353267
TreeView+ depends on / blocked
 
Reported: 2016-03-14 13:02 UTC by Adam Mariš
Modified: 2019-09-29 13:45 UTC (History)
26 users (show)

Fixed In Version: activemq 5.11.4, activemq 5.12.3, activemq 5.13.2
Doc Type: Bug Fix
Doc Text:
It was found that Apache Active MQ administration web console did not validate input correctly when creating a queue. An authenticated attacker could exploit this flaw via cross-site scripting and use it to access sensitive information or further attacks.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1424 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse/A-MQ 6.2.1 security and bug fix update 2016-07-13 23:44:16 UTC

Description Adam Mariš 2016-03-14 13:02:12 UTC
Several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia.

Affected versions: ActiveMQ 5.0.0 - 5.13.1

External Reference:

http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt

Comment 2 Adam Mariš 2016-03-14 13:10:36 UTC
Created activemq tracking bugs for this issue:

Affects: fedora-all [bug 1317522]

Comment 3 xiaohui Wu 2016-03-25 02:03:02 UTC
https://issues.jboss.org/browse/ENTMQ-1586 was opened to track

Comment 6 errata-xmlrpc 2016-07-13 19:44:56 UTC
This issue has been addressed in the following products:

  JBoss Fuse 6.2.1
  JBoss A-MQ 6.2.1

Via RHSA-2016:1424 https://access.redhat.com/errata/RHSA-2016:1424


Note You need to log in before you can comment on or make changes to this bug.