[
https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17114527#comment-17114527
]
ASF subversion and git services commented on AMQ-7465:
------------------------------------------------------
Commit 93c245b8ec16849994f2cd4bb4a4b0bb73086ed1 in activemq's branch
refs/heads/master from jbonofre
[ https://gitbox.apache.org/repos/asf?p=activemq.git;h=93c245b ]
[AMQ-7465] Protect any webconsole URL by default
> Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
> ------------------------------------------------------------------------
>
> Key: AMQ-7465
> URL: https://issues.apache.org/jira/browse/AMQ-7465
> Project: ActiveMQ
> Issue Type: Bug
> Components: Security/JAAS
> Affects Versions: 5.14.5
> Reporter: Bhavana
> Assignee: Jean-Baptiste Onofré
> Priority: Critical
> Fix For: 5.16.0, 5.15.13
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Xerver Double Slash Authentication Bypass detected on ActiveMQ directory.
> The version of Xerver installed on the remote host is affected by an
> authentication bypass vulnerability. It is possible to access protected web
> directories without authentication by prepending the directory with an extra
> '/'character, as long as the directory is not recursively protected.
> A remote, unauthenticated attacker can leverage this issue to gain access to
> protected web directories.
> Nessus was able to reproduce the issue using the following URL :
> [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/]
> We have assigned 8162 port for activemq GUI in our applications
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
