CVSS: 6.4EPSS: 1%CPEs: 3EXPL: 0CVE-2022-35278 – HTML Injection in ActiveMQ Artemis Web Console
https://notcve.org/view.php?id=CVE-2022-35278
23 Aug 2022 — In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue. En Apache ActiveMQ Artemis versiones anteriores a 2.24.0, un atacante podía mostrar contenido malicioso y/o redirigir a usuarios a una URL maliciosa en la consola web usando HTML en el nombre de una dirección o cola. A security vulnerability was found in ActiveMQ Artemis. This flaw allows an attacker to show malicio... • https://lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3n • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-4040 – Broker: Malformed message can result in partial DoS (OOM)
https://notcve.org/view.php?id=CVE-2021-4040
20 Jun 2022 — A flaw was found in AMQ Broker. This issue can cause a partial interruption to the availability of AMQ Broker via an Out of memory (OOM) condition. This flaw allows an attacker to partially disrupt availability to the broker through a sustained attack of maliciously crafted messages. The highest threat from this vulnerability is system availability. Se ha encontrado un fallo en AMQ Broker. • https://access.redhat.com/security/cve/CVE-2021-4040 • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23913 – Apache ActiveMQ Artemis DoS
https://notcve.org/view.php?id=CVE-2022-23913
04 Feb 2022 — In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. En Apache ActiveMQ Artemis versiones anteriores a 2.20.0 o 2.19.1, un atacante podría interrumpir parcialmente la disponibilidad (DoS) mediante el consumo no controlado de recursos de la memoria Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss... • https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 16%CPEs: 10EXPL: 0CVE-2021-26117 – ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bind
https://notcve.org/view.php?id=CVE-2021-26117
27 Jan 2021 — The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password. El módulo de inicio de sesión LDAP de ActiveMQ opcional puede ser configurado para usar el acceso anónimo al servidor LDAP. En este caso, para Apache ActiveMQ Artemis an... • https://lists.apache.org/thread.html/r110cacfa754471361234965ffe851a046e302ff2693b055f49f47b02%40%3Cissues.activemq.apache.org%3E • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 20%CPEs: 12EXPL: 0CVE-2017-12174 – artemis/hornetq: memory exhaustion via UDP and JGroups discovery
https://notcve.org/view.php?id=CVE-2017-12174
05 Feb 2018 — It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError. Se ha descubierto que cuando Artemis y HornetQ, en versiones anteriores a la 2.4.0, se configuran con detección UDP y detección JGroups, se crea un array con muchos bytes al recibir un mensaje multicast inesperado. Esto podría resultar en un agotam... • https://access.redhat.com/errata/RHSA-2018:0268 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.2EPSS: 1%CPEs: 10EXPL: 0CVE-2016-4978 – Artemis: Deserialization of untrusted input vulnerability
https://notcve.org/view.php?id=CVE-2016-4978
27 Sep 2016 — The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath. El método getObject de la clase javax.jms.ObjectMessage en el (1) cliente JMS Core, (2) broker Artemis y (3) com... • http://mail-archives.apache.org/mod_mbox/activemq-users/201609.mbox/%3CCAH6wpnqzeNtpykT7emtDU1-GV7AvjFP5-YroWcCC4UZyQEFvtA%40mail.gmail.com%3E • CWE-502: Deserialization of Untrusted Data •