CVSS: 6.4EPSS: 1%CPEs: 3EXPL: 0CVE-2022-35278 – HTML Injection in ActiveMQ Artemis Web Console
https://notcve.org/view.php?id=CVE-2022-35278
23 Aug 2022 — In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue. En Apache ActiveMQ Artemis versiones anteriores a 2.24.0, un atacante podía mostrar contenido malicioso y/o redirigir a usuarios a una URL maliciosa en la consola web usando HTML en el nombre de una dirección o cola. A security vulnerability was found in ActiveMQ Artemis. This flaw allows an attacker to show malicio... • https://lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3n • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-4040 – Broker: Malformed message can result in partial DoS (OOM)
https://notcve.org/view.php?id=CVE-2021-4040
20 Jun 2022 — A flaw was found in AMQ Broker. This issue can cause a partial interruption to the availability of AMQ Broker via an Out of memory (OOM) condition. This flaw allows an attacker to partially disrupt availability to the broker through a sustained attack of maliciously crafted messages. The highest threat from this vulnerability is system availability. Se ha encontrado un fallo en AMQ Broker. • https://access.redhat.com/security/cve/CVE-2021-4040 • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23913 – Apache ActiveMQ Artemis DoS
https://notcve.org/view.php?id=CVE-2022-23913
04 Feb 2022 — In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. En Apache ActiveMQ Artemis versiones anteriores a 2.20.0 o 2.19.1, un atacante podría interrumpir parcialmente la disponibilidad (DoS) mediante el consumo no controlado de recursos de la memoria Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss... • https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 16%CPEs: 10EXPL: 0CVE-2021-26117 – ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bind
https://notcve.org/view.php?id=CVE-2021-26117
27 Jan 2021 — The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password. El módulo de inicio de sesión LDAP de ActiveMQ opcional puede ser configurado para usar el acceso anónimo al servidor LDAP. En este caso, para Apache ActiveMQ Artemis an... • https://lists.apache.org/thread.html/r110cacfa754471361234965ffe851a046e302ff2693b055f49f47b02%40%3Cissues.activemq.apache.org%3E • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 2%CPEs: 1EXPL: 0CVE-2020-13932 – activemq: remote XSS in web console diagram plugin
https://notcve.org/view.php?id=CVE-2020-13932
20 Jul 2020 — In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section. En Apache ActiveMQ Artemis versiones 2.5.0 hasta 2.13.0, un paquete MQTT especialmente diseñado que presenta una carga útil XSS como id del cliente o nombre de tema puede explotar esta vulnerabilidad... • https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10727 – broker: resetUsers operation stores password in plain text
https://notcve.org/view.php?id=CVE-2020-10727
25 Jun 2020 — A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file. Se encontró un fallo en la API de administración de ActiveMQ Artemis desde versiones 2.7.0 hasta 2.12.0, donde un usuario almacena inadvertidamente contraseñas en texto plano en... • https://bugzilla.redhat.com/show_bug.cgi?id=1827200 • CWE-312: Cleartext Storage of Sensitive Information CWE-522: Insufficiently Protected Credentials •