Bug 2109805 (CVE-2022-35278) - CVE-2022-35278 activemq-artemis: AMQ Broker web console HTML Injection
Summary: CVE-2022-35278 activemq-artemis: AMQ Broker web console HTML Injection
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-35278
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2109811
TreeView+ depends on / blocked
 
Reported: 2022-07-22 07:54 UTC by Sandipan Roy
Modified: 2023-06-29 18:23 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A security vulnerability was found in ActiveMQ Artemis. This flaw allows an attacker to show malicious content and redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.
Clone Of:
Environment:
Last Closed: 2022-09-03 13:55:46 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6292 0 None None None 2022-09-01 07:19:11 UTC
Red Hat Product Errata RHSA-2022:6916 0 None None None 2022-10-12 07:57:32 UTC

Description Sandipan Roy 2022-07-22 07:54:07 UTC
HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.
This vulnerability occurs when user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) legitimate parts from malicious parts of the page, and consequently will parse and execute the whole page in the victim’s context.

Comment 4 errata-xmlrpc 2022-09-01 07:19:08 UTC
This issue has been addressed in the following products:

  Red Hat AMQ 7.8.7

Via RHSA-2022:6292 https://access.redhat.com/errata/RHSA-2022:6292

Comment 5 Product Security DevOps Team 2022-09-03 13:55:44 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-35278

Comment 6 errata-xmlrpc 2022-10-12 07:57:30 UTC
This issue has been addressed in the following products:

  AMQ Broker 7.10.1

Via RHSA-2022:6916 https://access.redhat.com/errata/RHSA-2022:6916


Note You need to log in before you can comment on or make changes to this bug.