activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [activemq-website] branch asf-site updated: Automatic Site Publish by Buildbot
Date Thu, 10 Sep 2020 04:22:38 GMT
This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-site
in repository

The following commit(s) were added to refs/heads/asf-site by this push:
     new 4c0a9c1  Automatic Site Publish by Buildbot
4c0a9c1 is described below

commit 4c0a9c1cfbae476df5c219f51583a935a4cecaaf
Author: buildbot <>
AuthorDate: Thu Sep 10 04:22:34 2020 +0000

    Automatic Site Publish by Buildbot
 output/components/classic/security.html             |  1 +
 .../CVE-2020-13920-announcement.txt                 | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/output/components/classic/security.html b/output/components/classic/security.html
index cd6f6e6..b5cee72 100644
--- a/output/components/classic/security.html
+++ b/output/components/classic/security.html
@@ -97,6 +97,7 @@
 <p>See the main <a href="../../security-advisories">Security Advisories</a>
page for details for other components and general information such as reporting new security
+  <li><a href="../../">CVE-2020-13920</a>
- JMX MITM vulnerability</li>
   <li><a href="../../">CVE-2020-1941</a>
- XSS in WebConsole</li>
   <li><a href="../../">CVE-2019-0222</a>
- Corrupt MQTT frame can cause broker shutdown</li>
   <li><a href="../../">CVE-2018-8006</a>
- ActiveMQ Web Console - Cross-Site Scripting</li>
diff --git a/output/ b/output/
new file mode 100644
index 0000000..b201e34
--- /dev/null
+++ b/output/
@@ -0,0 +1,21 @@
+CVE-2020-13920: Apache ActiveMQ JMX is vulnerable to a MITM attack
+Severity: Moderate
+Vendor: The Apache Software Foundation
+Affected Version: Apache ActiveMQ version prior to 5.15.12
+Vulnerability details:
+Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI
+registry and binds the server to the "jmxrmi" entry. It is possible
+to connect to the registry without authentication and call the rebind
+method to rebind jmxrmi to something else. If an attacker creates another
+server to proxy the original, and bound that, he effectively becomes a 
+man in the middle and is able to intercept the credentials when an user
+Upgrade to Apache ActiveMQ 5.15.12
+Credit: Jonathan Gallimore & Colm O hEigeartaigh

View raw message