Open mend-for-github-com[bot] opened 3 years ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
CVE-2018-11775 - High Severity Vulnerability
Vulnerable Libraries - activemq-broker-5.14.0.jar, activemq-client-5.14.0.jar
activemq-broker-5.14.0.jar
The ActiveMQ Message Broker implementation
Library home page: http://www.apache.org/
Path to dependency file: /client/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/activemq/activemq-broker/5.14.0/activemq-broker-5.14.0.jar,/home/wss-scanner/.m2/repository/org/apache/activemq/activemq-broker/5.14.0/activemq-broker-5.14.0.jar,/home/wss-scanner/.m2/repository/org/apache/activemq/activemq-broker/5.14.0/activemq-broker-5.14.0.jar
Dependency Hierarchy: - uimaj-as-activemq-2.9.0.jar (Root Library) - :x: **activemq-broker-5.14.0.jar** (Vulnerable Library)
activemq-client-5.14.0.jar
The ActiveMQ Client implementation
Library home page: http://www.apache.org/
Path to dependency file: /client/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/activemq/activemq-client/5.14.0/activemq-client-5.14.0.jar,/home/wss-scanner/.m2/repository/org/apache/activemq/activemq-client/5.14.0/activemq-client-5.14.0.jar,/home/wss-scanner/.m2/repository/org/apache/activemq/activemq-client/5.14.0/activemq-client-5.14.0.jar
Dependency Hierarchy: - uimaj-as-activemq-2.9.0.jar (Root Library) - :x: **activemq-client-5.14.0.jar** (Vulnerable Library)
Found in HEAD commit: 9975759c204d49687fbd104a30621d41b8638321
Found in base branch: master
Vulnerability Details
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
Publish Date: 2018-09-10
URL: CVE-2018-11775
CVSS 3 Score Details (7.4)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11775
Release Date: 2018-09-10
Fix Resolution: org.apache.activemq:activemq-broker:5.15.6;org.apache.activemq:activemq-client:5.15.6;org.apache.activemq:activemq-all:5.15.6