CVE-2010-1587 — Apache ActiveMQ Sensitive Information Disclosure via the Jetty ResourceHandler

Description

The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source code via a // (slash slash) initial substring in a URI for (1) admin/index.jsp, (2) admin/queues.jsp, or (3) admin/topics.jsp.

How to fix CVE-2010-1587

To remediate CVE-2010-1587, upgrade the affected package to a fixed version below.

Maven/org.apache.activemq:activemq-web-console—upgrade to 5.3.2 or later

Is CVE-2010-1587 being exploited?

Likely — EPSS is 77.9%, placing CVE-2010-1587 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 5.0.0, < 5.3.2

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2010-1587
PATCHgithub.com/apache/activemq
WEBgithub.com/apache/activemq/commit/aadd17ab7b6b6a664322538d25ee96dad67616e0
WEBgithub.com/apache/activemq/compare/activemq-5.3.1...activemq-parent-5.3.2