{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-02-05T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-03-27T19:06:05", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "72508", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72508"}, {"name": "[oss-security] 20150205 [ANNOUNCE] CVE-2014-3579 - ActiveMQ Apollo vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2015/q1/428"}, {"name": "apache-activemq-cve20143579-info-disc(100721)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100721"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/APLO-366"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://activemq.apache.org/security-advisories.data/CVE-2014-3579-announcement.txt"}, {"name": "[activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3579", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "72508", "refsource": "BID", "url": "http://www.securityfocus.com/bid/72508"}, {"name": "[oss-security] 20150205 [ANNOUNCE] CVE-2014-3579 - ActiveMQ Apollo vulnerability", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2015/q1/428"}, {"name": "apache-activemq-cve20143579-info-disc(100721)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100721"}, {"name": "https://issues.apache.org/jira/browse/APLO-366", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/APLO-366"}, {"name": "http://activemq.apache.org/security-advisories.data/CVE-2014-3579-announcement.txt", "refsource": "CONFIRM", "url": "http://activemq.apache.org/security-advisories.data/CVE-2014-3579-announcement.txt"}, {"name": "[activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:50:17.422Z"}, "title": "CVE Program Container", "references": [{"name": "72508", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/72508"}, {"name": "[oss-security] 20150205 [ANNOUNCE] CVE-2014-3579 - ActiveMQ Apollo vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2015/q1/428"}, {"name": "apache-activemq-cve20143579-info-disc(100721)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100721"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/APLO-366"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://activemq.apache.org/security-advisories.data/CVE-2014-3579-announcement.txt"}, {"name": "[activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3579", "datePublished": "2017-10-27T19:00:00", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:50:17.422Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq_apollo:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "030F086F-7C86-41FF-BDB6-A36453908712", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_apollo:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "FC11B011-212F-486A-BD39-AC8993B2D8E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_apollo:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "C49D82C5-4768-4D5F-AD38-6857DA048026", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_apollo:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "43C60E86-D89F-44BE-B65B-3212A13F1CAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_apollo:1.4:*:*:*:*:*:*:*", "matchCriteriaId": "6094353E-7E72-4105-985F-A21EC058D94D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_apollo:1.5:*:*:*:*:*:*:*", "matchCriteriaId": "0BBEDA99-5F98-46ED-9DAC-9FB122A1295E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_apollo:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "784992B5-7726-486A-ACF7-8B6D3D569FCD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_apollo:1.7:*:*:*:*:*:*:*", "matchCriteriaId": "B050D873-08F0-45CF-8D0F-BA4A58AD97F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages."}, {"lang": "es", "value": "Vulnerabilidad de XEE (XML External Entity) en Apache ActiveMQ Apollo, en versiones 1.x anteriores a la 1.7.1, permite que consumidores remotos provoquen un impacto sin especificar mediante vectores relacionados con un selector basado en XPath al eliminar de la cola los mensajes XML."}], "id": "CVE-2014-3579", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-27T19:29:00.190", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://activemq.apache.org/security-advisories.data/CVE-2014-3579-announcement.txt"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2015/q1/428"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72508"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100721"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://issues.apache.org/jira/browse/APLO-366"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://activemq.apache.org/security-advisories.data/CVE-2014-3579-announcement.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2015/q1/428"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72508"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100721"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://issues.apache.org/jira/browse/APLO-366"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Georgi Geshev (MWR Labs) for reporting this issue.", "bugzilla": {"description": "Apollo: XXE via XPath expression evaluation", "id": "1135872", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1135872"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "draft"}, "cwe": "CWE-611", "details": ["XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.", "It was discovered that Apache ActiveMQ Apollo performed XML External Entity (XXE) expansion when evaluating XPath expressions. A remote, attacker-controlled consumer able to specify an XPath-based selector to dequeue XML messages from an Apache ActiveMQ Apollo broker could use this flaw to read files accessible to the user running the broker, and potentially perform other more advanced XXE attacks."], "name": "CVE-2014-3579", "package_state": [{"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Not affected", "package_name": "activemq", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "activemq", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Not affected", "package_name": "acrivemq", "product_name": "Red Hat OpenShift Enterprise 2"}], "public_date": "2015-02-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3579\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3579"], "statement": "Not vulnerable. Apache ActiveMQ Apollo is not shipped with any supported Red Hat product.", "threat_severity": "Moderate"}

{}