CVE-2018-8006
Published: 10 October 2018
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter.
Notes
| Author | Note |
|---|---|
| sbeattie | admin console not enabled in packaging |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
activemq Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.15.8-2~18.04)
|
| cosmic |
Not vulnerable
(5.15.8-2~18.04)
|
|
| disco |
Not vulnerable
(5.15.8-2)
|
|
| eoan |
Not vulnerable
(5.15.8-2)
|
|
| focal |
Not vulnerable
(5.15.8-2)
|
|
| groovy |
Not vulnerable
(5.15.8-2)
|
|
| hirsute |
Not vulnerable
(5.15.8-2)
|
|
| impish |
Not vulnerable
(5.15.8-2)
|
|
| jammy |
Not vulnerable
(5.15.8-2)
|
|
| kinetic |
Not vulnerable
(5.15.8-2)
|
|
| lunar |
Not vulnerable
(5.15.8-2)
|
|
| mantic |
Not vulnerable
(5.15.8-2)
|
|
| noble |
Not vulnerable
(5.15.8-2)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
|
|
Patches: other: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d25de5d other: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d8c80a9 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |