CVSS: 7.5EPSS: 11%CPEs: 13EXPL: 0CVE-2019-0222 – activemq: Corrupt MQTT frame can cause broker shutdown
https://notcve.org/view.php?id=CVE-2019-0222
28 Mar 2019 — In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. En Apache ActiveMQ, desde la versión 5.0.0 hasta la 5.15.8, la deserialización de una trama MQTT corrupta puede conducir a una excepción de bróker fuera de memoria, haciendo que no responda. AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protoc... • http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt •
CVSS: 6.1EPSS: 88%CPEs: 1EXPL: 0CVE-2018-8006
https://notcve.org/view.php?id=CVE-2018-8006
10 Oct 2018 — An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter. Se ha identificado una instancia de una vulnerabilidad Cross-Site Scripting (XSS) en la consola de administración web en la página queue.jsp de Apache ActiveMQ de la version 5.0.0 a la 5.15.5. La causa raíz de este problema es el filtrado... • http://activemq.apache.org/security-advisories.data/CVE-2018-8006-announcement.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 7EXPL: 0CVE-2018-11775 – activemq: ActiveMQ Client Missing TLS Hostname Verification
https://notcve.org/view.php?id=CVE-2018-11775
10 Sep 2018 — TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. Falta la verificación de nombres de host TLS al emplear Apache ActiveMQ Client en versiones anteriores a la 5.15.6, lo que podría hacer que el cliente sea vulnerable a un ataque Man-in-the-Middle (MitM) entre una aplicación Java que emplea el cliente Activ... • http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 65%CPEs: 1EXPL: 0CVE-2017-15709
https://notcve.org/view.php?id=CVE-2017-15709
13 Feb 2018 — When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS and kernel version) are exposed as plain text. Al utilizar el protocolo OpenWire en ActiveMQ, versiones 5.14.0 a 5.15.2, se ha descubierto que ciertos detalles del sistema (como el sistema operativo y la versión del kernel) se exponen en texto plano. • https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1%40%3Cdev.activemq.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 0CVE-2016-6810
https://notcve.org/view.php?id=CVE-2016-6810
10 Jan 2018 — In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation. En Apache ActiveMQ en versiones 5.x anteriores a la 5.14.2, se ha identificado una instancia de una vulnerabilidad Cross-Site Scripting (XSS) que está presente en la consola de administración web. La causa del problema es la validación incorrecta de los datos de salida del usuario. • http://activemq.apache.org/security-advisories.data/CVE-2016-6810-announcement.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 94%CPEs: 1EXPL: 10CVE-2016-3088 – Apache ActiveMQ Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2016-3088
24 May 2016 — The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. La aplicación web Fileserver en Apache ActiveMQ 5.x en versiones anteriores a 5.14.0 permite a atacantes remotos cargar y ejecutar archivos arbitrarios a través de un PUT HTTP seguido de una petición MOVE HTTP. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache ActiveMQ. Auth... • https://packetstorm.news/files/id/143191 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 10%CPEs: 27EXPL: 0CVE-2016-0734 – activemq: Clickjacking in Web Console
https://notcve.org/view.php?id=CVE-2016-0734
13 Mar 2016 — The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element. La consola de administración basada en web en Apache ActiveMQ 5.x en versiones anteriores a 5.13.2 no envía una cabecera X-Frame-Options HTTP, lo que facilita a atacantes remotos llevar a cabo ataques de secuestro de clic a través de una página ... • http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt • CWE-254: 7PK - Security Features •
CVSS: 5.4EPSS: 1%CPEs: 28EXPL: 0CVE-2016-0782 – activemq: Cross-site scripting vulnerabilities in web console
https://notcve.org/view.php?id=CVE-2016-0782
13 Mar 2016 — The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue. La consola de administración web en Apache ActiveMQ 5.x en versiones anteriores a 5.11.4, 5.12.x en versiones anteriores a 5.12.3 y 5.13.x en versiones anteriores a 5.13.2 permite a usuarios remotos autent... • http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 84%CPEs: 27EXPL: 3CVE-2015-5254 – ObjectMessage: unsafe deserialization
https://notcve.org/view.php?id=CVE-2015-5254
08 Jan 2016 — Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. Apache ActiveMQ 5.x en versiones anteriores a 5.13.0 no restringe las clases que pueden ser serializadas en el broker, lo que permite a atacantes remotos ejecutar código arbitrario a través de un objeto ObjectMessage Java Message Service (JMS) serializado manipulado. It was found... • https://github.com/jas502n/CVE-2015-5254 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 3%CPEs: 20EXPL: 0CVE-2015-6524
https://notcve.org/view.php?id=CVE-2015-6524
24 Aug 2015 — The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types. La implementación de LDAPLoginModule en el Java Authentication y Authorization Service (JAAS) en Apache ActiveMQ 5.x en versiones anteriores a 5.10.1 permite operad... • http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt • CWE-255: Credentials Management Errors •