Vulnerability Name: CVE-2014-3600 (CCN-100722) Assigned: 2014-05-14 Published: 2015-02-05 Updated: 2019-03-27 Summary: XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P 5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-611 Vulnerability Consequences: Obtain Information References: Source: CCNCVE-2014-3600: Apache ActiveMQ XXE with XPath selectors http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt CVE-2014-3600 [ANNOUNCE] CVE-2014-3600, CVE-2014-3612 and CVE-2014-8110 - Apache ActiveMQ vulnerabilities [oss-security] 20150205 [ANNOUNCE] CVE-2014-3600, CVE-2014-3612 and CVE-2014-8110 - Apache ActiveMQ vulnerabilities Vulnerability in Apache ActiveMQ library affects IBM Sterling Secure Proxy (CVE-2014-3600, CVE-2014-8110) Multiple vulnerabilities in Apache ActiveMQ affect IBM Tivoli System Automation Application Manager (CVE-2014-3600, CVE-2014-3612, CVE-2014-8110) Multiple vulnerabilities in Apache ActiveMQ affect IBM Control Center (CVE-2014-3600, CVE-2014-3612, CVE-2014-8110, CVE-2014-3579) Vulnerabilities in Open Source Apache ActiveMQ affect IBM Marketing Platform (CVE-2014-3600, CVE-2014-3612, CVE-2014-8110, CVE-2014-3579) Jazz for Service Management is affected by Open Source Apache ActiveMQ vulnerability - Reported in 02/05/2015 X-Force Report OpenSource Apache ActiveMQ vulnerabilities identified with IBM Tivoli Integrated Portal (TIP) v2.2 IBM Tivoli Netcool Impact is affected by multiple vulnerabilities in IBM Tivoli Integrated Portal (TIP) 72510 Apache ActiveMQ CVE-2014-3600 XML External Entity Injection Vulnerability apache-activemq-cve20143600-info-disc(100722) apache-activemq-cve20143600-info-disc(100722) https://issues.apache.org/jira/browse/AMQ-5333 [activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/ Multiple Security Vulnerabilities in ActiveMQ Affect IBM Sterling B2B Integrator IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities IBM Security Directory Integrator is affected by multiple security vulnerabilities IBM Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 IBM Security Directory Suite is vulnerable to multiple issues CVE-2014-3600 Vulnerable Configuration: Configuration 1 :cpe:/a:apache:activemq:5.0.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.1.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.2.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.3.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.3.1:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.3.2:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.4.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.4.1:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.4.2:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.4.3:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.5.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.5.1:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.6.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.7.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.8.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.9.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.9.1:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.10.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:apache:activemq:5.10.0:*:*:*:*:*:*:* AND cpe:/a:ibm:tivoli_system_automation_application_manager:3.2.2:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:6.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:-:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_system_automation_application_manager:4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_secure_proxy:3.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:5.4:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:5.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:5.4.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.6.3:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:* Oval Definitions BACK
apache activemq 5.0.0
apache activemq 5.1.0
apache activemq 5.2.0
apache activemq 5.3.0
apache activemq 5.3.1
apache activemq 5.3.2
apache activemq 5.4.0
apache activemq 5.4.1
apache activemq 5.4.2
apache activemq 5.4.3
apache activemq 5.5.0
apache activemq 5.5.1
apache activemq 5.6.0
apache activemq 5.7.0
apache activemq 5.8.0
apache activemq 5.9.0
apache activemq 5.9.1
apache activemq 5.10.0
apache activemq 5.10.0
ibm tivoli system automation application manager 3.2.2
ibm tivoli netcool/impact 6.1.1
ibm sterling b2b integrator -
ibm tivoli system automation application manager 4.1
ibm tivoli netcool/impact 6.1
ibm tivoli netcool/impact 7.1.0
ibm sterling secure proxy 3.4.2
ibm control center 5.3
ibm control center 5.4
ibm control center 5.4.1
ibm control center 5.4.2.1
ibm control center 6.0
ibm security identity governance and intelligence 5.2
ibm security identity governance and intelligence 5.2.1
ibm security identity governance and intelligence 5.2.2
ibm security identity governance and intelligence 5.2.2.1
ibm security identity governance and intelligence 5.2.3
ibm security identity governance and intelligence 5.2.3.1
ibm security identity governance and intelligence 5.2.3.2
ibm sterling b2b integrator 5.2.0.1
ibm sterling b2b integrator 5.2.6.3
ibm security identity governance and intelligence 5.2.4
ibm security identity governance and intelligence 5.2.4.1
Denotes that component is vulnerable