Vulnerability Name:

CVE-2010-1587 (CCN-58056)

Assigned:2010-04-21
Published:2010-04-21
Updated:2018-10-10
Summary:The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source code via a // (slash slash) initial substring in a URI for (1) admin/index.jsp, (2) admin/queues.jsp, or (3) admin/topics.jsp.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.1 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-20
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: Apache Software Foundation Web site
Apache ActiveMQ

Source: CCN
Type: BugTraq Mailing List, Thu Apr 22 2010 - 09:43:10 CDT
Apache ActiveMQ Source Code Disclosure Vulnerability

Source: FULLDISC
Type: UNKNOWN
20100422 Apache ActiveMQ is prone to source code disclosure vulnerability.

Source: MITRE
Type: CNA
CVE-2010-1587

Source: CCN
Type: SA39567
Apache ActiveMQ Source Code Disclosure Vulnerability

Source: SECUNIA
Type: Vendor Advisory
39567

Source: OSVDB
Type: Exploit
64020

Source: CCN
Type: OSVDB ID: 64020
Apache ActiveMQ Jetty ResourceHandler Crafted Request JSP File Source Disclosure

Source: BUGTRAQ
Type: UNKNOWN
20100422 Apache ActiveMQ is prone to source code disclosure vulnerability.

Source: BID
Type: UNKNOWN
39636

Source: CCN
Type: BID-39636
Apache ActiveMQ Source Code Information Disclosure Vulnerability

Source: VUPEN
Type: Vendor Advisory
ADV-2010-0979

Source: XF
Type: UNKNOWN
activemq-jsp-source-disclosure(58056)

Source: CONFIRM
Type: Patch
https://issues.apache.org/activemq/browse/AMQ-2700

Source: CCN
Type: Rapid7 Vulnerability and Exploit Database [05-30-2018]
Apache ActiveMQ JSP Files Source Disclosure

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:activemq:5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:activemq:5.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:activemq:5.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:activemq:5.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:activemq:5.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:activemq:5.4-snapshot:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:activemq:5.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:activemq:5.3.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apache activemq 5.0.0
    apache activemq 5.1.0
    apache activemq 5.2.0
    apache activemq 5.3.0
    apache activemq 5.3.1
    apache activemq 5.4-snapshot
    apache activemq 5.2.0
    apache activemq 5.3.1