[
https://issues.apache.org/jira/browse/AMQ-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher L. Shannon reassigned AMQ-7236:
-------------------------------------------
Assignee: Christopher L. Shannon
> SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring
> framework) and xstream-1.4.10.jar
> ---------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-7236
> URL: https://issues.apache.org/jira/browse/AMQ-7236
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.15.9
> Environment: Apache ActiveMQ 5.15.9
> Reporter: Vipin
> Assignee: Christopher L. Shannon
> Priority: Major
>
> Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring
> framework) can it be upgraded to spring-expression-5.1.6.RELEASE.jar
> SEV-1
> [CVE-2018-1270|https://vss.wellsfargo.net/vuln/CVE-2018-1270] (Spring
> Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and
> older unsupported versions, allow applications to expose STOMP over WebSocket
> endpoints with a simple, in-memory STOMP broker through the spring-messaging
> module. A malicious user (or attacker) can craft a message to the broker that
> can lead to a remote code execution attack.)
> [CVE-2018-1275|https://vss.wellsfargo.net/vuln/CVE-2018-1275] (Spring
> Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and
> older unsupported versions, allow applications to expose STOMP over WebSocket
> endpoints with a simple, in-memory STOMP broker through the spring-messaging
> module. A malicious user (or attacker) can craft a message to the broker that
> can lead to a remote code execution attack. This CVE addresses the partial
> fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.)
>
> SEV-2
> [CVE-2018-1199|https://vss.wellsfargo.net/vuln/CVE-2018-1199] (Spring
> Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x
> before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before
> 5.0.3) does not consider URL path parameters when processing security
> constraints. By adding a URL path parameter with special encodings, an
> attacker may be able to bypass a security constraint. The root cause of this
> issue is a lack of clarity regarding the handling of path parameters in the
> Servlet Specification. Some Servlet containers include path parameters in the
> value returned for getPathInfo() and some do not. Spring Security uses the
> value returned by getPathInfo() as part of the process of mapping requests to
> security constraints. In this particular attack, different character
> encodings used in path parameters allows secured Spring MVC static resource
> URLs to be bypassed.)
>
> SEV2 - for XStream:1.4.10
> [CVE-2013-7285|https://vss.wellsfargo.net/vuln/CVE-2013-7285] (Xstream API
> versions up to 1.4.6 and version 1.4.10, if the security framework has not
> been initialized, may allow a remote attacker to run arbitrary shell commands
> by manipulating the processed input stream when unmarshaling XML or any
> supported format. e.g. JSON.)
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
