{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-35278", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T09:36:44.249Z", "dateReserved": "2022-07-06T00:00:00", "datePublished": "2022-08-23T00:00:00"}, "containers": {"cna": {"title": "HTML Injection in ActiveMQ Artemis Web Console", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-12-09T00:00:00"}, "descriptions": [{"lang": "en", "value": "In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ Artemis", "versions": [{"version": "unspecified", "lessThanOrEqual": "2.23.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3n"}, {"url": "https://security.netapp.com/advisory/ntap-20221209-0005/"}], "credits": [{"lang": "en", "value": "Apache ActiveMQ would like to thank Yash Pandya (Digital14), Rajatkumar Karmarkar (Digital14), and Likhith Cheekatipalle (Digital14) for reporting this issue."}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "cweId": "CWE-80"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}, "workarounds": [{"lang": "en", "value": "Upgrade to Apache ActiveMQ Artemis 2.24.0."}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:36:44.249Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3n", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20221209-0005/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7B5E9AA-8931-4C25-9A87-87C0B5062ABD", "versionEndExcluding": "2.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue."}, {"lang": "es", "value": "En Apache ActiveMQ Artemis versiones anteriores a 2.24.0, un atacante pod\u00eda mostrar contenido malicioso y/o redirigir a usuarios a una URL maliciosa en la consola web usando HTML en el nombre de una direcci\u00f3n o cola."}], "id": "CVE-2022-35278", "lastModified": "2022-12-13T01:59:50.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-23T15:15:11.247", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3n"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221209-0005/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6916", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "artemis-plugin", "product_name": "AMQ Broker 7.10.1", "release_date": "2022-10-12T00:00:00Z"}, {"advisory": "RHSA-2022:6292", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "artemis-plugin", "product_name": "Red Hat AMQ 7.8.7", "release_date": "2022-09-01T00:00:00Z"}], "bugzilla": {"description": "activemq-artemis: AMQ Broker web console HTML Injection", "id": "2109805", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2109805"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-74", "details": ["In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.", "A security vulnerability was found in ActiveMQ Artemis. This flaw allows an attacker to show malicious content and redirect users to a malicious URL in the web console by using HTML in the name of an address or queue."], "name": "CVE-2022-35278", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "artemis-plugin", "product_name": "Red Hat JBoss Fuse 7"}], "public_date": "2022-08-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-35278\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-35278"], "threat_severity": "Important"}