ID CVE-2016-0734
Summary The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.12.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.12.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:activemq:5.13.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.13.0:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 27-03-2019 - 20:29)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
rhsa
id RHSA-2016:1424
refmap via4
bid 84321
confirm http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt
mlist
  • [activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/
  • [oss-security] 20160310 [ANNOUNCE] CVE-2016-0734: ActiveMQ Web Console - Clickjacking
sectrack 1035327
Last major update 27-03-2019 - 20:29
Published 07-04-2016 - 19:59
Last modified 27-03-2019 - 20:29
Back to Top