[
https://issues.apache.org/jira/browse/AMQ-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vipin updated AMQ-7236:
-----------------------
Description:
Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring
framework) can it be upgraded to spring-expression-5.1.6.RELEASE.jar
SEV-1
[CVE-2018-1270|https://vss.wellsfargo.net/vuln/CVE-2018-1270] (Spring
Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and
older unsupported versions, allow applications to expose STOMP over WebSocket
endpoints with a simple, in-memory STOMP broker through the spring-messaging
module. A malicious user (or attacker) can craft a message to the broker that
can lead to a remote code execution attack.)
[CVE-2018-1275|https://vss.wellsfargo.net/vuln/CVE-2018-1275] (Spring
Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and
older unsupported versions, allow applications to expose STOMP over WebSocket
endpoints with a simple, in-memory STOMP broker through the spring-messaging
module. A malicious user (or attacker) can craft a message to the broker that
can lead to a remote code execution attack. This CVE addresses the partial fix
for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.)
SEV-2
[CVE-2018-1199|https://vss.wellsfargo.net/vuln/CVE-2018-1199] (Spring Security
(Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before
5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does
not consider URL path parameters when processing security constraints. By
adding a URL path parameter with special encodings, an attacker may be able to
bypass a security constraint. The root cause of this issue is a lack of clarity
regarding the handling of path parameters in the Servlet Specification. Some
Servlet containers include path parameters in the value returned for
getPathInfo() and some do not. Spring Security uses the value returned by
getPathInfo() as part of the process of mapping requests to security
constraints. In this particular attack, different character encodings used in
path parameters allows secured Spring MVC static resource URLs to be bypassed.)
SEV2 - for XStream:1.4.10
[CVE-2013-7285|https://vss.wellsfargo.net/vuln/CVE-2013-7285] (Xstream API
versions up to 1.4.6 and version 1.4.10, if the security framework has not been
initialized, may allow a remote attacker to run arbitrary shell commands by
manipulating the processed input stream when unmarshaling XML or any supported
format. e.g. JSON.)
was:
Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring
framework) can it be upgraded to spring-expression-5.1.6.RELEASE.jar
SEV-1
[CVE-2018-1270|https://vss.wellsfargo.net/vuln/CVE-2018-1270] (Spring
Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and
older unsupported versions, allow applications to expose STOMP over WebSocket
endpoints with a simple, in-memory STOMP broker through the spring-messaging
module. A malicious user (or attacker) can craft a message to the broker that
can lead to a remote code execution attack.)
[CVE-2018-1275|https://vss.wellsfargo.net/vuln/CVE-2018-1275] (Spring
Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and
older unsupported versions, allow applications to expose STOMP over WebSocket
endpoints with a simple, in-memory STOMP broker through the spring-messaging
module. A malicious user (or attacker) can craft a message to the broker that
can lead to a remote code execution attack. This CVE addresses the partial fix
for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.)
SEV-2
[CVE-2018-1199|https://vss.wellsfargo.net/vuln/CVE-2018-1199] (Spring Security
(Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before
5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does
not consider URL path parameters when processing security constraints. By
adding a URL path parameter with special encodings, an attacker may be able to
bypass a security constraint. The root cause of this issue is a lack of clarity
regarding the handling of path parameters in the Servlet Specification. Some
Servlet containers include path parameters in the value returned for
getPathInfo() and some do not. Spring Security uses the value returned by
getPathInfo() as part of the process of mapping requests to security
constraints. In this particular attack, different character encodings used in
path parameters allows secured Spring MVC static resource URLs to be bypassed.)
> SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring
> framework) and xstream-1.4.10.jar
> ---------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-7236
> URL: https://issues.apache.org/jira/browse/AMQ-7236
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.15.9
> Environment: Apache ActiveMQ 5.15.9
> Reporter: Vipin
> Priority: Major
>
> Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring
> framework) can it be upgraded to spring-expression-5.1.6.RELEASE.jar
> SEV-1
> [CVE-2018-1270|https://vss.wellsfargo.net/vuln/CVE-2018-1270] (Spring
> Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and
> older unsupported versions, allow applications to expose STOMP over WebSocket
> endpoints with a simple, in-memory STOMP broker through the spring-messaging
> module. A malicious user (or attacker) can craft a message to the broker that
> can lead to a remote code execution attack.)
> [CVE-2018-1275|https://vss.wellsfargo.net/vuln/CVE-2018-1275] (Spring
> Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and
> older unsupported versions, allow applications to expose STOMP over WebSocket
> endpoints with a simple, in-memory STOMP broker through the spring-messaging
> module. A malicious user (or attacker) can craft a message to the broker that
> can lead to a remote code execution attack. This CVE addresses the partial
> fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.)
>
> SEV-2
> [CVE-2018-1199|https://vss.wellsfargo.net/vuln/CVE-2018-1199] (Spring
> Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x
> before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before
> 5.0.3) does not consider URL path parameters when processing security
> constraints. By adding a URL path parameter with special encodings, an
> attacker may be able to bypass a security constraint. The root cause of this
> issue is a lack of clarity regarding the handling of path parameters in the
> Servlet Specification. Some Servlet containers include path parameters in the
> value returned for getPathInfo() and some do not. Spring Security uses the
> value returned by getPathInfo() as part of the process of mapping requests to
> security constraints. In this particular attack, different character
> encodings used in path parameters allows secured Spring MVC static resource
> URLs to be bypassed.)
>
> SEV2 - for XStream:1.4.10
> [CVE-2013-7285|https://vss.wellsfargo.net/vuln/CVE-2013-7285] (Xstream API
> versions up to 1.4.6 and version 1.4.10, if the security framework has not
> been initialized, may allow a remote attacker to run arbitrary shell commands
> by manipulating the processed input stream when unmarshaling XML or any
> supported format. e.g. JSON.)
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
