Apache ActiveMQ Source Code Information Disclosure Vulnerability

Bugtraq ID:	39636
Class:	Input Validation Error
CVE:	CVE-2010-1587
Remote:	Yes
Local:	No
Published:	Apr 22 2010 12:00AM
Updated:	Jan 14 2016 11:51PM
Credit:	Veerendra G.G of SecPod Technologies
Vulnerable:	Apache Software Foundation Apache ActiveMQ 5.3.1 Apache Software Foundation Apache ActiveMQ 5.3 Apache Software Foundation Apache ActiveMQ 5.2
Not Vulnerable:	Apache Software Foundation Apache ActiveMQ 5.4 SNAPSHOT

Apache ActiveMQ Source Code Information Disclosure Vulnerability

Apache ActiveMQ is prone to a vulnerability that lets attackers access source code because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable computer in the context of the webserver process. Information obtained may aid in further attacks.

Apache ActiveMQ 5.3.1 and prior are vulnerable.

NOTE: This vulnerability may be related to BID 27117 (Jetty Double Slash URI Information Disclosure Vulnerability).

Apache ActiveMQ Source Code Information Disclosure Vulnerability

Attackers can exploit this vulnerability through a browser.

The following example URIs are available:

http://www.example.com:8161//admin/index.jsp
http://www.example.com:8161//admin/queues.jsp
http://www.example.com:8161//admin/topics.jsp

Apache ActiveMQ Source Code Information Disclosure Vulnerability

Solution:
Updates are available. Please see the references for details.

Apache ActiveMQ Source Code Information Disclosure Vulnerability

References:

• Apache ActiveMQ - Homepage (Apache)
  
• Apache ActiveMQ is prone to source code disclosure vulnerability (ActiveMQ)
  
• ActiveMQ is prone to source code disclosure vulnerability ([email protected])
  
• swg21968792 Security vulnerabilities in ActiveMQ 5.2.0 affect IBM Sterling B2B I (IBM)