ASF subversion and git services commented on AMQ-7465:

Commit e97322bddb06523981046f49225160a2b4347c3d in activemq's branch 
refs/heads/master from Jean-Baptiste Onofré
[ https://gitbox.apache.org/repos/asf?p=activemq.git;h=e97322b ]

Merge pull request #537 from jbonofre/AMQ-7465

[AMQ-7465] Protect any webconsole URL by default

> Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
> ------------------------------------------------------------------------
>                 Key: AMQ-7465
>                 URL: https://issues.apache.org/jira/browse/AMQ-7465
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Security/JAAS
>    Affects Versions: 5.14.5
>            Reporter: Bhavana
>            Assignee: Jean-Baptiste Onofré
>            Priority: Critical
>             Fix For: 5.16.0, 5.15.13
>          Time Spent: 10m
>  Remaining Estimate: 0h
> Xerver Double Slash Authentication Bypass detected on ActiveMQ directory.
> The version of Xerver installed on the remote host is affected by an 
> authentication bypass vulnerability. It is possible to access protected web 
> directories without authentication by prepending the directory with an extra 
> '/'character, as long as the directory is not recursively protected.
> A remote, unauthenticated attacker can leverage this issue to gain access to 
> protected web directories.
> Nessus was able to reproduce the issue using the following URL :
> [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/]
> We have assigned 8162 port for activemq GUI in our applications

This message was sent by Atlassian Jira

Reply via email to