CVE-2016-0734

activemq: Clickjacking in Web Console

Severity Score

6.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

La consola de administración basada en web en Apache ActiveMQ 5.x en versiones anteriores a 5.13.2 no envía una cabecera X-Frame-Options HTTP, lo que facilita a atacantes remotos llevar a cabo ataques de secuestro de clic a través de una página web manipulada que contiene un elemento (1) FRAME o (2) IFRAME.

It was reported that the web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-12-16 CVE Reserved
2016-03-13 CVE Published
2023-03-07 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-254: 7PK - Security Features

CAPEC

References (8)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2016/03/10/11	Mailing List
http://www.securityfocus.com/bid/84321	Vdb Entry
http://www.securitytracker.com/id/1035327	Vdb Entry
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt	2023-11-07
https://access.redhat.com/errata/RHSA-2016:1424	2023-11-07
https://access.redhat.com/security/cve/CVE-2016-0734	2016-07-13
https://bugzilla.redhat.com/show_bug.cgi?id=1317520	2016-07-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.0.0 Search vendor "Apache" for product "Activemq" and version "5.0.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.1.0 Search vendor "Apache" for product "Activemq" and version "5.1.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.2.0 Search vendor "Apache" for product "Activemq" and version "5.2.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.3.0 Search vendor "Apache" for product "Activemq" and version "5.3.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.3.1 Search vendor "Apache" for product "Activemq" and version "5.3.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.3.2 Search vendor "Apache" for product "Activemq" and version "5.3.2"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.4.0 Search vendor "Apache" for product "Activemq" and version "5.4.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.4.1 Search vendor "Apache" for product "Activemq" and version "5.4.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.4.2 Search vendor "Apache" for product "Activemq" and version "5.4.2"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.4.3 Search vendor "Apache" for product "Activemq" and version "5.4.3"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.5.0 Search vendor "Apache" for product "Activemq" and version "5.5.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.5.1 Search vendor "Apache" for product "Activemq" and version "5.5.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.6.0 Search vendor "Apache" for product "Activemq" and version "5.6.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.7.0 Search vendor "Apache" for product "Activemq" and version "5.7.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.8.0 Search vendor "Apache" for product "Activemq" and version "5.8.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.9.0 Search vendor "Apache" for product "Activemq" and version "5.9.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.9.1 Search vendor "Apache" for product "Activemq" and version "5.9.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.10.0 Search vendor "Apache" for product "Activemq" and version "5.10.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.10.1 Search vendor "Apache" for product "Activemq" and version "5.10.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.10.2 Search vendor "Apache" for product "Activemq" and version "5.10.2"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.11.0 Search vendor "Apache" for product "Activemq" and version "5.11.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.11.1 Search vendor "Apache" for product "Activemq" and version "5.11.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.11.2 Search vendor "Apache" for product "Activemq" and version "5.11.2"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.12.0 Search vendor "Apache" for product "Activemq" and version "5.12.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.12.1 Search vendor "Apache" for product "Activemq" and version "5.12.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.12.2 Search vendor "Apache" for product "Activemq" and version "5.12.2"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.13.0 Search vendor "Apache" for product "Activemq" and version "5.13.0"		-		Affected