CyberSec.Space Logo
CVEブラウザに戻る

CVE-2014-3600

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0970%
EPSS Percentile33.06th
Published2017年10月27日
Last Modified2026年5月13日

Vulnerability Description

XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.

Affected Platforms (CPE)

📦
Apache

Activemq

= 5.0.0
📦
Apache

Activemq

= 5.1.0
📦
Apache

Activemq

= 5.2.0
📦
Apache

Activemq

= 5.3.0
📦
Apache

Activemq

= 5.3.1
📦
Apache

Activemq

= 5.3.2
📦
Apache

Activemq

= 5.4.0
📦
Apache

Activemq

= 5.4.1
📦
Apache

Activemq

= 5.4.2
📦
Apache

Activemq

= 5.4.3
📦
Apache

Activemq

= 5.5.0
📦
Apache

Activemq

= 5.5.1
📦
Apache

Activemq

= 5.6.0
📦
Apache

Activemq

= 5.7.0
📦
Apache

Activemq

= 5.8.0
📦
Apache

Activemq

= 5.9.0
📦
Apache

Activemq

= 5.9.1
📦
Apache

Activemq

= 5.10.0

References & Advisories

🔗 http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt
🔗 http://seclists.org/oss-sec/2015/q1/427
🔗 http://www.securityfocus.com/bid/72510
🔗 https://exchange.xforce.ibmcloud.com/vulnerabilities/100722
🔗 https://issues.apache.org/jira/browse/AMQ-5333
🔗 https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E
🔗 http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt
🔗 http://seclists.org/oss-sec/2015/q1/427

関連する脆弱性情報

CVE-2020-119989.8

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, ...

CVE-2020-139319.8

If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker...

CVE-2020-119699.8

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX po...

CVE-2014-35799.8

XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified imp...