CVE-2022-35278
HTML Injection in ActiveMQ Artemis Web Console
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.
En Apache ActiveMQ Artemis versiones anteriores a 2.24.0, un atacante podía mostrar contenido malicioso y/o redirigir a usuarios a una URL maliciosa en la consola web usando HTML en el nombre de una dirección o cola.
A security vulnerability was found in ActiveMQ Artemis. This flaw allows an attacker to show malicious content and redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.
*Credits:
Apache ActiveMQ would like to thank Yash Pandya (Digital14), Rajatkumar Karmarkar (Digital14), and Likhith Cheekatipalle (Digital14) for reporting this issue.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-07-06 CVE Reserved
- 2022-08-23 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3n | Mailing List | |
| https://security.netapp.com/advisory/ntap-20221209-0005 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2022-35278 | 2022-10-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2109805 | 2022-10-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Activemq Artemis Search vendor "Apache" for product "Activemq Artemis" | < 2.24.0 Search vendor "Apache" for product "Activemq Artemis" and version " < 2.24.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | windows |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation" | - | - |
Affected
| ||||||