[
https://issues.apache.org/jira/browse/AMQ-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16888919#comment-16888919
]
Vipin commented on AMQ-7236:
----------------------------
[~cshannon], when will the new versions be out?
> SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring
> framework) and xstream-1.4.10.jar
> ---------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-7236
> URL: https://issues.apache.org/jira/browse/AMQ-7236
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.15.9
> Environment: Apache ActiveMQ 5.15.9
> Reporter: Vipin
> Assignee: Christopher L. Shannon
> Priority: Major
> Fix For: 5.16.0, 5.15.10
>
>
> Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring
> framework) can it be upgraded to spring-expression-5.1.6.RELEASE.jar
> SEV-1
> CVE-2018-1270 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3
> prior to 4.3.15 and older unsupported versions, allow applications to expose
> STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through
> the spring-messaging module. A malicious user (or attacker) can craft a
> message to the broker that can lead to a remote code execution attack.)
> CVE-2018-1275 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3
> prior to 4.3.16 and older unsupported versions, allow applications to expose
> STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through
> the spring-messaging module. A malicious user (or attacker) can craft a
> message to the broker that can lead to a remote code execution attack. This
> CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the
> Spring Framework.)
>
> SEV-2
> CVE-2018-1199 (Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x
> before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before
> 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when
> processing security constraints. By adding a URL path parameter with special
> encodings, an attacker may be able to bypass a security constraint. The root
> cause of this issue is a lack of clarity regarding the handling of path
> parameters in the Servlet Specification. Some Servlet containers include path
> parameters in the value returned for getPathInfo() and some do not. Spring
> Security uses the value returned by getPathInfo() as part of the process of
> mapping requests to security constraints. In this particular attack,
> different character encodings used in path parameters allows secured Spring
> MVC static resource URLs to be bypassed.)
>
> SEV2 - for XStream:1.4.10
> CVE-2013-7285 (Xstream API versions up to 1.4.6 and version 1.4.10, if the
> security framework has not been initialized, may allow a remote attacker to
> run arbitrary shell commands by manipulating the processed input stream when
> unmarshaling XML or any supported format. e.g. JSON.)
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
