[
https://issues.apache.org/jira/browse/AMQ-9536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17870645#comment-17870645
]
Ken Liao commented on AMQ-9536:
-------------------------------
This CVE is raised against a third party JS library Prototype.js 1.7.3. It has
two methods {{stripTags}} and {{unescapeHTML}} an attacker can cause a Regular
Expression Denial of Service (ReDOS) through stripping crafted HTML tags. This
library is contained in ActiveMQ 6.1.x, 5.18.x, 5.17.x, 5.16.x (note 5.15.x
uses 1.6.0.3). Prototype.js itself is used in many places in the
{{activemq-web}} and {{activemq-web-demo}} package. After searching the code
for usage of the two offending methods {{stripTags}} and {{unescapeHTML}} .
It’s verified that the two offending methods are not referenced anywhere in the
entire ActiveMQ repository (except method definition in the Prototype.js
script). Hence, these two methods are not in any code path and ActiveMQ is not
impacted.
> [[Security] CVE-2020-27511 fix needed for activemq-osgi-5.17.6 and
> strudl.0.3.13
> --------------------------------------------------------------------------------
>
> Key: AMQ-9536
> URL: https://issues.apache.org/jira/browse/AMQ-9536
> Project: ActiveMQ Classic
> Issue Type: Bug
> Components: Security/JAAS
> Affects Versions: 5.17.6
> Reporter: Abhijit Rajwade
> Priority: Major
>
> Description
> CVE-2020-27511 fix needed for activemq-osgi-5.17.6 and strudl.0.3.13
> Description :
> Severity : CVE CVSS 3: 7.5Sonatype CVSS 3: 7.5
> Weakness : Sonatype CWE: 400
> Source : National Vulnerability Database
> Categories : Data
> Description from CVE : An issue was discovered in the stripTags and
> unescapeHTML components in Prototype 1.7.3 where an attacker can cause a
> Regular Expression Denial of Servicethrough stripping crafted HTML tags.
> Explanation : The prototype package is vulnerable to Regular Expression
> Denial of Service [ReDoS] attacks. The stripTags[] function in the String.js
> file used to unescape HTML fails to efficiently parse and remove tags within
> a given string. An attacker can exploit this vulnerability by submitting a
> crafted code block which, when parsed by the affected function, will exhaust
> system resources and trigger a DoS condition.
> Detection : The application is vulnerable by using this component.
> Recommendation : There is no non-vulnerable upgrade path for this
> component/package. We recommend investigating alternative components or a
> potential mitigating control.
> Root Cause : activemq-osgi-5.17.6.jarorg/apache/activemq/web/prototype.js : [
> , ]
> Advisories : Attack: https://github.com/AlyxRen/prototype.node.js
> CVSS Details : CVE CVSS 3: 7.5CVSS Vector:
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> CVE : CVE-2020-27511
> URL : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511
> Remediation : This component does not have any non-vulnerable Version. Please
> contact the vendor to get this vulnerability fixed.
> ===
> Description :
> Severity : CVE CVSS 3: 7.5Sonatype CVSS 3: 7.5
> Weakness : Sonatype CWE: 400
> Source : National Vulnerability Database
> Categories : Data
> Description from CVE : An issue was discovered in the stripTags and
> unescapeHTML components in Prototype 1.7.3 where an attacker can cause a
> Regular Expression Denial of Servicethrough stripping crafted HTML tags.
> Explanation : The prototype package is vulnerable to Regular Expression
> Denial of Service [ReDoS] attacks. The stripTags[] function in the String.js
> file used to unescape HTML fails to efficiently parse and remove tags within
> a given string. An attacker can exploit this vulnerability by submitting a
> crafted code block which, when parsed by the affected function, will exhaust
> system resources and trigger a DoS condition.
> Detection : The application is vulnerable by using this component.
> Recommendation : There is no non-vulnerable upgrade path for this
> component/package. We recommend investigating alternative components or a
> potential mitigating control.
> Root Cause : strudl.0.3.13 : [ , ]
> Advisories : Attack: https://github.com/AlyxRen/prototype.node.js
> CVSS Details : CVE CVSS 3: 7.5CVSS Vector:
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> CVE : CVE-2020-27511
> URL : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511
> Remediation : This component does not have any non-vulnerable Version. Please
> contact the vendor to get this vulnerability fixed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
