[jira] [Work logged] (AMQ-7252) SEV2 Vulnerabilities: Apache ActiveMQ Server libraries: commons-net-3.6.jar and velocity-1.7.jar

Thu, 14 Nov 2019 21:09:43 -0800 


     [ 
https://issues.apache.org/jira/browse/AMQ-7252?focusedWorklogId=343986&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-343986
 ]

ASF GitHub Bot logged work on AMQ-7252:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 15/Nov/19 05:08
            Start Date: 15/Nov/19 05:08
    Worklog Time Spent: 10m 
      Work Description: jbonofre commented on pull request #414: [AMQ-7252] 
Upgrade to Velocity 2.1
URL: https://github.com/apache/activemq/pull/414
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 343986)
    Remaining Estimate: 0h
            Time Spent: 10m

> SEV2 Vulnerabilities: Apache ActiveMQ Server libraries: commons-net-3.6.jar 
> and velocity-1.7.jar
> ------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-7252
>                 URL: https://issues.apache.org/jira/browse/AMQ-7252
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.15.9
>            Reporter: Vipin
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>              Labels: security-issue, vulnerabilities
>             Fix For: 5.16.0, 5.15.11
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> SEV2 Vulnerabilities: Apache ActiveMQ Server libraries: commons-net-3.6.jar 
> and velocity-1.7.jar
>  
> commons-net-3.6.jar
>  * Apache Commons Net contains a flaw in the changeWorkingDirectory() 
> function in ftpClient.java that is triggered as user-supplied input is not 
> properly sanitized. This may allow a remote attacker to use a newline 
> character in a specially crafted string to execute arbitrary commands.
>  
> velocity-1.7.jar
>  * Apache Commons FileUpload contains flaw that is due to 
> ParametersInterceptor allowing access to the 'class' parameter. This may 
> allow a remote attacker to manipulate the ClassLoader and execute arbitrary 
> Java code.
>  
>  * Apache Commons Collections contains a flaw in the InvokerTransformer 
> class. This issue is triggered when handling Java code, which may invoke 
> unsafe deserialize calls. This may allow a remote attacker to execute 
> arbitrary code.
>  
>  * Apache Velocity contains a flaw that allows traversing outside of a 
> restricted path. The issue is due to VelocityLayoutServlet not properly 
> sanitizing user input, specifically path traversal style attacks (e.g. '../') 
> supplied via the 'layout' parameter. With a specially crafted request, a 
> remote attacker can gain access to potentially sensitive information.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to