Bitnami package
activemq
pkg:bitnami/activemq
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21345 | — | < 5.15.14 | 5.15.14 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is | ||
| CVE-2021-21346 | — | < 5.15.14 | 5.15.14 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff | ||
| CVE-2021-21347 | — | < 5.15.14 | 5.15.14 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff | ||
| CVE-2020-13947 | — | < 5.15.14 | 5.15.14 | Feb 8, 2021 | An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0. | ||
| CVE-2021-26117 | — | >= 5.15.0, < 5.15.14 | 5.15.14 | Jan 27, 2021 | The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users | ||
| CVE-2020-26217 | — | < 5.15.14 | 5.15.14 | Nov 16, 2020 | XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Fram | ||
| CVE-2020-11998 | — | >= 5.15.12, <= 5.15.12 | — | Sep 10, 2020 | A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/doc | ||
| CVE-2020-13920 | — | < 5.15.12 | 5.15.12 | Sep 10, 2020 | Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates a | ||
| CVE-2020-1941 | — | >= 5.0.0, <= 5.15.11 | — | May 14, 2020 | In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. |
- CVE-2021-21345Mar 22, 2021affected < 5.15.14fixed 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is
- CVE-2021-21346Mar 22, 2021affected < 5.15.14fixed 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff
- CVE-2021-21347Mar 22, 2021affected < 5.15.14fixed 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is aff
- CVE-2020-13947Feb 8, 2021affected < 5.15.14fixed 5.15.14
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0.
- CVE-2021-26117Jan 27, 2021affected >= 5.15.0, < 5.15.14fixed 5.15.14
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users
- CVE-2020-26217Nov 16, 2020affected < 5.15.14fixed 5.15.14
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Fram
- CVE-2020-11998Sep 10, 2020affected >= 5.15.12, <= 5.15.12
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/doc
- CVE-2020-13920Sep 10, 2020affected < 5.15.12fixed 5.15.12
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates a
- CVE-2020-1941May 14, 2020affected >= 5.0.0, <= 5.15.11
In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.
Page 2 of 2