-
Notifications
You must be signed in to change notification settings - Fork 4
/
BIT-2020-11998.json
74 lines (74 loc) · 2.38 KB
/
BIT-2020-11998.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
{
"schema_version": "1.5.0",
"id": "BIT-2020-11998",
"details": "A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html \"A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.\" Mitigation: Upgrade to Apache ActiveMQ 5.15.13",
"aliases": [
"CVE-2020-11998"
],
"affected": [
{
"package": {
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
},
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "5.15.12"
},
{
"last_affected": "5.15.12"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:activemq:5.15.12:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2023-09-14T13:41:00.102Z",
"modified": "2023-09-14T13:50:47.856Z"
}