CVE-2018-11775

7.4HIGH

Key Information:

Vendor: Apache
Status: Apache ActiveMQ
Vendor: CVE Published:; 10 September 2018

Summary

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

Affected Version(s)

Apache ActiveMQ 5.0.0 - 5.15.5

References

http://www.securitytracker.com/id/1041618

vdb-entryx_refsource_SECTRACK

http://www.securityfocus.com/bid/105335

vdb-entryx_refsource_BID

https://lists.apache.org/thread.html/2b5c0039197a4949f29e...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 10, 2018
Vulnerability Reserved
Jun 5, 2018

.