You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Albert Baker (JIRA)" <ji...@apache.org> on 2018/06/15 14:24:00 UTC
[jira] [Created] (AMQ-6987) ActiveMQ 5.15.4 contains
activemq-camel-5.15.4.jar wich has two high severity CVEs against it
Albert Baker created AMQ-6987:
---------------------------------
Summary: ActiveMQ 5.15.4 contains activemq-camel-5.15.4.jar wich has two high severity CVEs against it
Key: AMQ-6987
URL: https://issues.apache.org/jira/browse/AMQ-6987
Project: ActiveMQ
Issue Type: Bug
Components: activemq-camel
Affects Versions: 5.15.4
Environment: Customer environment is a mix of Linux and Windows, Gig-LAN. Will not accept the risk of having even one high severity CVE in thier environment.
Reporter: Albert Baker
ActiveMQ 5.15.4 contains activemq-camel-5.15.4.jar which has two high severity CVEs against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report
CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies.
CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)