[ https://issues.apache.org/jira/browse/AMQ-7019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16559013#comment-16559013 ]
ASF subversion and git services commented on AMQ-7019: ------------------------------------------------------ Commit 972b3fa6cf928e5ae7e008fa263e96c5ab71bf72 in activemq's branch refs/heads/activemq-5.15.x from [~tabish121] [ https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=972b3fa ] AMQ-7019 Update Jolokia to latest version Updates version to v1.6.0 (cherry picked from commit 2ebea251cdf58ddf0a29f41ccb6c6aadcfdb9b95) > ActiveMQ 5.15.4 jolokia.jar which has one high severity CVE against it. > ----------------------------------------------------------------------- > > Key: AMQ-7019 > URL: https://issues.apache.org/jira/browse/AMQ-7019 > Project: ActiveMQ > Issue Type: Bug > Components: webconsole > Affects Versions: 5.15.4 > Environment: Customer environment is a mix of Linux and Windows, > Gig-LAN (Medical & Finacial services). Will not accept the risk of having > even one high severity CVE in thier environment. The cost of (SOX/HIPPA) > insurence is too high to allow even one CVE with newly deployed systems. > Reporter: Albert Baker > Priority: Blocker > > ActiveMQ 5.15.4 jolokia.jar which has one high severity CVE against it. > Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running > the OWASP report. > CVE-2015-5182 Severity:High CVSS Score: 6.8 > allows Cross-site request forgery (CSRF) vulnerability in the jolokia API in > A-MQ. > CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1248809 CONFIRM -- This message was sent by Atlassian JIRA (v7.6.3#76005)