[
https://issues.apache.org/jira/browse/AMQ-8984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17573354#comment-17573354
]
Lucas Tétreault commented on AMQ-8984:
--------------------------------------
This appears to be a vulnerability in ActiveMQ Artemis:
{code:java}
XML external entity (XXE) vulnerability in the XPath selector component in
Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows
remote attackers to have unspecified impact via unknown vectors.See details for
org.apache.activemq/activemq-broker {code}
> Fix or challenge CVE-2015-3208 reported by ossindex.sonatype.org
> ----------------------------------------------------------------
>
> Key: AMQ-8984
> URL: https://issues.apache.org/jira/browse/AMQ-8984
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.16.3, 5.16.4, 5.16.5
> Reporter: Sven-Jørgen Karlsen
> Assignee: Jean-Baptiste Onofré
> Priority: Minor
>
> I get CVE-2015-3208 reported against activemq-broker 5.16.3-5 when running
> maven-enforcer-plugin with the banVulnerable rule. The vulnerability can also
> be seen on ossindex.org:
> [https://ossindex.sonatype.org/vulnerability/CVE-2015-3208?component-type=maven&component-name=org.apache.activemq%2Factivemq-broker&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1]
>
> It looks rather dated, is it some kind of fault in Sonatype's database? I
> have seen several odd occurrences of old vulnerabilities in ossindex.org the
> last month or so, after the "breaking changes" being working on in the OSS
> Index data.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
