Vulnerability Description
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
CVSS Score
9.8
CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Activemq | 5.0.0 |
Related Weaknesses (CWE)
References
- http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.tVendor Advisory
- http://seclists.org/oss-sec/2015/q1/427Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/72510Third Party AdvisoryVDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/100722Third Party AdvisoryVDB Entry
- https://issues.apache.org/jira/browse/AMQ-5333Issue TrackingThird Party Advisory
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65
- http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.tVendor Advisory
- http://seclists.org/oss-sec/2015/q1/427Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/72510Third Party AdvisoryVDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/100722Third Party AdvisoryVDB Entry
- https://issues.apache.org/jira/browse/AMQ-5333Issue TrackingThird Party Advisory
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65
FAQ
What is CVE-2014-3600?
CVE-2014-3600 is a vulnerability with a CVSS score of 9.8 (CRITICAL). XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML message...
How severe is CVE-2014-3600?
CVE-2014-3600 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2014-3600?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Activemq.