Chapter 6. Fixed Common Vulnerabilities and Exposures
This section details Common Vulnerabilities and Exposures (CVEs) fixed in the AMQ Broker 7.12 release.
- ENTMQBR-8644 - TRIAGE CVE-2023-6717 keycloak: XSS via assertion consumer service URL in SAML POST-binding flow [amq-7]
- ENTMQBR-8976 - TRIAGE CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling [amq-7]
- ENTMQBR-8927 - CVE-2024-22259 springframework: URL Parsing with Host Validation [amq-7]
- ENTMQBR-8740 - CVE-2024-1132 keycloak: path transversal in redirection validation [amq-7]
- ENTMQBR-8758 - CVE-2024-1249 keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS [amq-7]
- ENTMQBR-8626 - CVE-2023-6378 logback: serialization vulnerability in logback receiver [amq-7]
- ENTMQBR-8627 - CVE-2023-6481 logback: A serialization vulnerability in logback receiver [amq-7]
- ENTMQBR-8953 - CVE-2024-29131 CVE-2024-29133 commons-configuration2: various flaws [amq-7]
- ENTMQBR-8702 - CVE-2023-44981 zookeeper: Authorization Bypass in Apache ZooKeeper [amq-7]
- ENTMQBR-8611 - CVE-2022-41678 activemq: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE [amq-7]
- ENTMQBR-8225 - CVE-2023-24540 amq-broker-rhel8-operator-container: golang: html/template: improper handling of JavaScript whitespace [amq-7]
- ENTMQBR-8227 - CVE-2022-21698 amq-broker-rhel8-operator-container: prometheus/client_golang: Denial of service using InstrumentHandlerCounter [amq-7]
- ENTMQBR-8238 - CVE-2022-21698 CVE-2023-24534 amq-broker-rhel8-operator-container: golang: net/http, net/textproto: denial of service from excessive memory allocation [amq-7]
- ENTMQBR-8239 - CVE-2023-29400 amq-broker-rhel8-operator-container: golang: html/template: improper handling of empty HTML attributes [amq-7]
- ENTMQBR-8240 - CVE-2023-24539 amq-broker-rhel8-operator-container: golang: html/template: improper sanitization of CSS values [amq-7]
- ENTMQBR-8228 - CVE-2021-43565 amq-broker-rhel8-operator-container: golang.org/x/crypto: empty plaintext packet causes panic [amq-7]
- ENTMQBR-8230 - CVE-2022-41723 amq-broker-rhel8-operator-container: net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding [amq-7]
- ENTMQBR-8236 - CVE-2023-24536 amq-broker-rhel8-operator-container: golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption [amq-7]
- ENTMQBR-8237 - CVE-2023-24537 amq-broker-rhel8-operator-container: golang: go/parser: Infinite loop in parsing [amq-7]
- ENTMQBR-8231 - CVE-2022-2879 amq-broker-rhel8-operator-container: golang: archive/tar: unbounded memory consumption when reading headers [amq-7]
- ENTMQBR-8229 - CVE-2022-27664 amq-broker-rhel8-operator-container: golang: net/http: handle server errors after sending GOAWAY [amq-7]
- ENTMQBR-8226 - CVE-2022-32189 amq-broker-rhel8-operator-container: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service [amq-7]
- ENTMQBR-8232 - CVE-2022-41715 amq-broker-rhel8-operator-container: golang: regexp/syntax: limit memory used by parsing regexps [amq-7]
- ENTMQBR-8241 - CVE-2023-24538 amq-broker-rhel8-operator-container: golang: html/template: backticks not treated as string delimiters [amq-7]
- ENTMQBR-8233 - CVE-2022-2880 amq-broker-rhel8-operator-container: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters [amq-7]
- ENTMQBR-8234 - CVE-2022-41724 amq-broker-rhel8-operator-container: golang: crypto/tls: large handshake records may cause panics [amq-7]
- ENTMQBR-8608 - CVE-2022-41678 activemq-broker-operator: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE [amq-7]
- ENTMQBR-8235 - CVE-2022-41725 amq-broker-rhel8-operator-container: golang: net/http, mime/multipart: denial of service from excessive resource consumption [amq-7]
- ENTMQBR-8671 - CVE-2023-51074 json-path: stack-based buffer overflow in Criteria.parse method [amq-7]