#VU38005 XML External Entity injection in ActiveMQ - CVE-2014-3600
Published: October 27, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38005
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2014-3600
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ActiveMQ
ActiveMQ
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
Remediation
Install update from vendor's website.
External links
- http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt
- http://seclists.org/oss-sec/2015/q1/427
- http://www.securityfocus.com/bid/72510
- https://exchange.xforce.ibmcloud.com/vulnerabilities/100722
- https://issues.apache.org/jira/browse/AMQ-5333
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E