[ 
https://issues.apache.org/jira/browse/AMQ-7252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16908530#comment-16908530
 ] 

Vipin commented on AMQ-7252:
----------------------------

[~jbonofre], I checked the apache velocity project and it appears that 2.1 is 
available (https://velocity.apache.org/news.html#engine21), could you please 
see if this can be updated to counter the reported vulnerability? 

> SEV2 Vulnerabilities: Apache ActiveMQ Server libraries: commons-net-3.6.jar 
> and velocity-1.7.jar
> ------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-7252
>                 URL: https://issues.apache.org/jira/browse/AMQ-7252
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.15.9
>            Reporter: Vipin
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>              Labels: security-issue, vulnerabilities
>             Fix For: 5.16.0, 5.15.11
>
>
> SEV2 Vulnerabilities: Apache ActiveMQ Server libraries: commons-net-3.6.jar 
> and velocity-1.7.jar
>  
> commons-net-3.6.jar
>  * Apache Commons Net contains a flaw in the changeWorkingDirectory() 
> function in ftpClient.java that is triggered as user-supplied input is not 
> properly sanitized. This may allow a remote attacker to use a newline 
> character in a specially crafted string to execute arbitrary commands.
>  
> velocity-1.7.jar
>  * Apache Commons FileUpload contains flaw that is due to 
> ParametersInterceptor allowing access to the 'class' parameter. This may 
> allow a remote attacker to manipulate the ClassLoader and execute arbitrary 
> Java code.
>  
>  * Apache Commons Collections contains a flaw in the InvokerTransformer 
> class. This issue is triggered when handling Java code, which may invoke 
> unsafe deserialize calls. This may allow a remote attacker to execute 
> arbitrary code.
>  
>  * Apache Velocity contains a flaw that allows traversing outside of a 
> restricted path. The issue is due to VelocityLayoutServlet not properly 
> sanitizing user input, specifically path traversal style attacks (e.g. '../') 
> supplied via the 'layout' parameter. With a specially crafted request, a 
> remote attacker can gain access to potentially sensitive information.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to