CVE-2014-3600
CRITICAL9.8EPSS 0.51%Improper Restriction of XML External Entity Reference in Apache ActiveMQ
Published: 5/14/2022Modified: 4/28/2026
Description
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
Affected packages (3)
- Debian/activemqfrom 0, < 5.6.0+dfsg1-4
- Maven/org.apache.activemq:activemq-broker>= 5.0.0, < 5.10.1
- Maven/org.apache.activemq:activemq-client>= 5.0.0, < 5.10.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-3600
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-3600
- WEBhttp://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt
- WEBhttp://seclists.org/oss-sec/2015/q1/427
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/100722
- WEBhttps://github.com/apache/activemq
- WEBhttps://github.com/apache/activemq/commit/3e5ac6326db59f524a0e71f6b717428607d7b67d
- WEBhttps://issues.apache.org/jira/browse/AMQ-5333
- WEBhttps://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E