[
https://issues.apache.org/jira/browse/AMQ-6987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher L. Shannon closed AMQ-6987.
---------------------------------------
Resolution: Invalid
> ActiveMQ 5.15.4 contains activemq-camel-5.15.4.jar wich has two high severity
> CVEs against it
> ---------------------------------------------------------------------------------------------
>
> Key: AMQ-6987
> URL: https://issues.apache.org/jira/browse/AMQ-6987
> Project: ActiveMQ
> Issue Type: Bug
> Components: activemq-camel
> Affects Versions: 5.15.4
> Environment: Customer environment is a mix of Linux and Windows,
> Gig-LAN. Will not accept the risk of having even one high severity CVE in
> thier environment.
> Reporter: Albert Baker
> Priority: Blocker
>
> ActiveMQ 5.15.4 contains activemq-camel-5.15.4.jar which has two high
> severity CVEs against it.
> Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running
> the OWASP report
> CVE-2015-5183 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ does not set
> HTTPOnly or Secure attributes on cookies.
> CVE-2015-5184 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-254 Security Features The Hawtio console in A-MQ allows remote
> attackers to obtain sensitive information and perform other unspecified
> impact.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
