TLS Hostname Verification Vulnerability in Apache ActiveMQ Client
CVE-2018-11775

7.4HIGH

Key Information:

Vendor
Apache
Status
Apache ActiveMQ
Vendor
CVE Published:
10 September 2018

Summary

The Apache ActiveMQ Client prior to version 5.15.6 contains a vulnerability due to the absence of TLS hostname verification. This oversight can expose Java applications utilizing the ActiveMQ client to potential man-in-the-middle (MITM) attacks when communicating with ActiveMQ servers. The vulnerability has been addressed in later versions, where hostname verification is now enabled by default to enhance security and protect data integrity during communications.

Affected Version(s)

Apache ActiveMQ 5.0.0 - 5.15.5

References

http://www.securitytracker.com/id/1041618
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/105335
vdb-entryx_refsource_BID
https://lists.apache.org/thread.html/2b5c0039197a4949f29e...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.