[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17114528#comment-17114528 ]
ASF subversion and git services commented on AMQ-7465: ------------------------------------------------------ Commit e97322bddb06523981046f49225160a2b4347c3d in activemq's branch refs/heads/master from Jean-Baptiste Onofré [ https://gitbox.apache.org/repos/asf?p=activemq.git;h=e97322b ] Merge pull request #537 from jbonofre/AMQ-7465 [AMQ-7465] Protect any webconsole URL by default > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > ------------------------------------------------------------------------ > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS > Affects Versions: 5.14.5 > Reporter: Bhavana > Assignee: Jean-Baptiste Onofré > Priority: Critical > Fix For: 5.16.0, 5.15.13 > > Time Spent: 10m > Remaining Estimate: 0h > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)