> Critical: CVE-2016-1000027 — https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
The link indicates the CVE impacts "Spring Framework through 5.3.16." However, ActiveMQ Classic 5.19.0 ships with Spring 5.3.39. This seems like a false positive from your scanner. Justin On Mon, Apr 21, 2025 at 10:28 AM Simmons, Delbert < delbert.simm...@zigabyte.com> wrote: > Hi, > > I am new to the group. Hoping to get some information on two > vulnerabilities that were returned when running a Trivy scan on ActiveMQ > 5.19.0. I realize these would be resolved if we just upgraded to ActiveMQ > 6.1.6, but another piece of software on our system is not compatible with > Java 17. It looks like the newest supported version of ActiveMQ on the > java 11 is ActiveMQ 5.19.0. However, our security scan had two findings > that are areas of concern. Is 5.19.0 actually impacted by these findings? > If not, please give explanation as to why not. > > Additionally, are there plans to upgrade these components to the "fixed > version" as indicated in the screenshot below? : > > components of ActiveMQ 5.19.0: > > *spring-web 5.3.39.0* > Critical: CVE-2016-1000027 — > https://nvd.nist.gov/vuln/detail/CVE-2016-1000027 > > *camel-core2.25.4.0* > High: CVE-2020-11971 — https://nvd.nist.gov/vuln/detail/CVE-2020-11971 > > > > > *Respectfully,* > > > > *Del Simmons * > > Consultant > > * > <https://urldefense.com/v3/__http://www.zigabyte.com/__;!!MsNKLpFGsw!d8VVFIzsLhgC9SM4EQq1jA77hUnZWVBLU9gTApv8Rd_choaYLWxwXaxCKinfYePD$>* > | > Character | Competence | Community > > email: delbert.simm...@zigabyte.com > > cell: 803.269.9182 > >
