CVE-2016-0734 - The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-O

CVE-2016-0734

Summary

The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

References

Vulnerable Configurations

cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.7.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.7.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.8.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.8.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.9.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.9.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.9.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.9.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.10.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.10.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.10.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.10.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.11.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.11.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.11.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.11.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.12.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.12.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.12.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.12.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.12.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.12.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.13.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.13.0:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 27-03-2019 - 20:29)
Impact:
Exploitability:

CWE

CWE-254

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:P/A:N

redhat via4

advisories

rhsa

id	RHSA-2016:1424

refmap via4

bid	84321
confirm	http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt
mlist	[activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/ [oss-security] 20160310 [ANNOUNCE] CVE-2016-0734: ActiveMQ Web Console - Clickjacking
sectrack	1035327

Last major update

27-03-2019 - 20:29

Published

07-04-2016 - 19:59

Last modified

27-03-2019 - 20:29