[jira] [Work logged] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory

Thu, 21 May 2020 01:43:20 -0700 


     [ 
https://issues.apache.org/jira/browse/AMQ-7465?focusedWorklogId=435881&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-435881
 ]

ASF GitHub Bot logged work on AMQ-7465:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 21/May/20 08:42
            Start Date: 21/May/20 08:42
    Worklog Time Spent: 10m 
      Work Description: jbonofre opened a new pull request #537:
URL: https://github.com/apache/activemq/pull/537


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 435881)
    Remaining Estimate: 0h
            Time Spent: 10m

> Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
> ------------------------------------------------------------------------
>
>                 Key: AMQ-7465
>                 URL: https://issues.apache.org/jira/browse/AMQ-7465
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Security/JAAS
>    Affects Versions: 5.14.5
>            Reporter: Bhavana
>            Assignee: Jean-Baptiste Onofré
>            Priority: Critical
>             Fix For: 5.16.0, 5.15.13
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Xerver Double Slash Authentication Bypass detected on ActiveMQ directory.
> The version of Xerver installed on the remote host is affected by an 
> authentication bypass vulnerability. It is possible to access protected web 
> directories without authentication by prepending the directory with an extra 
> '/'character, as long as the directory is not recursively protected.
> A remote, unauthenticated attacker can leverage this issue to gain access to 
> protected web directories.
> Nessus was able to reproduce the issue using the following URL :
> [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/]
> We have assigned 8162 port for activemq GUI in our applications



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to