GitHub Advisory DatabaseGHSA-V2C9-9M8V-8JJMApache ActiveMQ Sensitive Information Disclosure via the Jetty ResourceHandler
The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source code via a // (slash slash) initial substring in a URI for (1) admin/index.jsp, (2) admin/queues.jsp, or (3) admin/topics.jsp.
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.activemq:activemq-web-console | lt | 5.3.2 |
References
github.com/advisories/GHSA-v2c9-9m8v-8jjm
github.com/apache/activemq/commit/aadd17ab7b6b6a664322538d25ee96dad67616e0
github.com/apache/activemq/compare/activemq-5.3.1...activemq-parent-5.3.2
github.com/apache/activemq/tree/main/activemq-web-console/src/main/webapp
issues.apache.org/activemq/browse/AMQ-2700
nvd.nist.gov/vuln/detail/CVE-2010-1587
web.archive.org/web/20100426064914/www.vupen.com/english/advisories/2010/0979
web.archive.org/web/20100702082040/secunia.com/advisories/39567
web.archive.org/web/20150314050810/archives.neohapsis.com/archives/fulldisclosure/2010-04/0278.html
web.archive.org/web/20200228044456/www.securityfocus.com/bid/39636
web.archive.org/web/20201208002259/www.securityfocus.com/archive/1/510896/100/0/threaded
Related
