This is an automated email from the ASF dual-hosted git repository.
gtully pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/master by this push:
new 40b546e add new announcement
40b546e is described below
commit 40b546e68b9a647548b47e1b8618f29bc4b4ee9a
Author: gtully <[email protected]>
AuthorDate: Mon Jul 20 17:12:38 2020 +0100
add new announcement
---
content/components/artemis/security.html | 1 +
.../CVE-2020-13932-announcement.txt | 19 +++++++++++++++++++
src/components/artemis/security.md | 1 +
.../CVE-2020-13932-announcement.txt | 19 +++++++++++++++++++
4 files changed, 40 insertions(+)
diff --git a/content/components/artemis/security.html
b/content/components/artemis/security.html
index 07be4e2..e1659a6 100644
--- a/content/components/artemis/security.html
+++ b/content/components/artemis/security.html
@@ -97,6 +97,7 @@
<p>See the main <a href="../../security-advisories">Security Advisories</a>
page for details for other components and general information such as reporting
new security issues.</p>
<ul>
+ <li><a
href="../../security-advisories.data/CVE-2020-13932-announcement.txt">CVE-2020-13932</a>
- Apache ActiveMQ Artemis - Remote XSS in Web console Diagram Plugin</li>
<li><a
href="../../security-advisories.data/CVE-2017-12174-announcement.txt">CVE-2017-12174</a>
- Memory exhaustion via UDP and JGroups discovery</li>
<li><a
href="../../security-advisories.data/CVE-2016-4978-announcement.txt">CVE-2016-4978</a>
- Apache ActiveMQ Artemis: Deserialization of untrusted input vunerability</li>
</ul>
diff --git a/content/security-advisories.data/CVE-2020-13932-announcement.txt
b/content/security-advisories.data/CVE-2020-13932-announcement.txt
new file mode 100644
index 0000000..176a20d
--- /dev/null
+++ b/content/security-advisories.data/CVE-2020-13932-announcement.txt
@@ -0,0 +1,19 @@
+CVE-2020-13932: Apache ActiveMQ Artemis - Remote XSS in Web console Diagram
Plugin
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Affected Version: Apache ActiveMQ Artemis 2.5.0 to 2.13.0
+
+Vulnerability details:
+A specifically crafted MQTT packet which has an XSS payload as
+client-id or topic name can exploit this vulnerability. The XSS
+payload is being injected into the admin console's browser. The XSS
+payload is triggered in the diagram plugin; queue node and the info
+section.
+
+Mitigation:
+Upgrade to Apache ActiveMQ Artemis 2.14.0
+
+Credit: This issue was discovered by Arun Magesh from Payatu Software Labs
diff --git a/src/components/artemis/security.md
b/src/components/artemis/security.md
index b315e8c..ed8b8f8 100644
--- a/src/components/artemis/security.md
+++ b/src/components/artemis/security.md
@@ -9,5 +9,6 @@ Details of security problems fixed in released versions of
Apache ActiveMQ Artem
See the main [Security Advisories](../../security-advisories) page for details
for other components and general information such as reporting new security
issues.
+*
[CVE-2020-13932](../../security-advisories.data/CVE-2020-13932-announcement.txt)
- Apache ActiveMQ Artemis - Remote XSS in Web console Diagram Plugin
*
[CVE-2017-12174](../../security-advisories.data/CVE-2017-12174-announcement.txt)
- Memory exhaustion via UDP and JGroups discovery
*
[CVE-2016-4978](../../security-advisories.data/CVE-2016-4978-announcement.txt)
- Apache ActiveMQ Artemis: Deserialization of untrusted input vunerability
diff --git a/src/security-advisories.data/CVE-2020-13932-announcement.txt
b/src/security-advisories.data/CVE-2020-13932-announcement.txt
new file mode 100644
index 0000000..176a20d
--- /dev/null
+++ b/src/security-advisories.data/CVE-2020-13932-announcement.txt
@@ -0,0 +1,19 @@
+CVE-2020-13932: Apache ActiveMQ Artemis - Remote XSS in Web console Diagram
Plugin
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Affected Version: Apache ActiveMQ Artemis 2.5.0 to 2.13.0
+
+Vulnerability details:
+A specifically crafted MQTT packet which has an XSS payload as
+client-id or topic name can exploit this vulnerability. The XSS
+payload is being injected into the admin console's browser. The XSS
+payload is triggered in the diagram plugin; queue node and the info
+section.
+
+Mitigation:
+Upgrade to Apache ActiveMQ Artemis 2.14.0
+
+Credit: This issue was discovered by Arun Magesh from Payatu Software Labs
