An XXE vulnerability was reported in the XPath component of HornetQ, which is present in various middleware products.
Acknowledgements: Red Hat would like to thank David Jorm of IIX Product Security for reporting this issue.
This issue appears to have been fixed in the following commit: https://github.com/apache/activemq-artemis/commit/48d9951d879e0c8cbb59d4b64ab59d53ef88310d
There is no release prior to that commit. Why is this being considered a CVE?
There has never been a release of Artemis before that commit. is there any way to challenge the CVE?
Hi Clebert, I have asked two Product Security engineers to review this flaw and update the metadata if it is indeed incorrect.
In HornetQ.. maybe.. but never in Artemis. I'm not sure this was an issue with hornetq.. as maybe it wasn't released.
Kurt, I don't think that that SAM, or Sat 6 could be affected here. The affected code never made it into an release AFAIK. Can you verifying and update the whiteboard on this?
Created hornetq tracking bugs for this issue: Affects: fedora-all [bug 1478551]
This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
(In reply to Clebert Suconic from comment #7) > There has never been a release of Artemis before that commit. is there any > way to challenge the CVE? https://cve.mitre.org/cve/cna/rules.html#appendix_c_process_to_correct_assignment_issues_update_cve_entries https://cve.mitre.org/about/documents.html CNA Processes English: https://cve.mitre.org/cve/cna/CNA_Processes.pptx | https://youtu.be/yLqUMKD2Y9k Japanese: https://cve.mitre.org/cve/cna/CNA_Processes_ja.pptx