CVE-2015-1830 — Improper Limitation of a Pathname to a Restricted Directory in Apache ActiveMQ

Description

Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.

How to fix CVE-2015-1830

To remediate CVE-2015-1830, upgrade the affected package to a fixed version below.

Maven/org.apache.activemq:activemq-client—upgrade to 5.11.2 or later

Is CVE-2015-1830 being exploited?

Likely — EPSS is 86.0%, placing CVE-2015-1830 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 5.0.0, < 5.11.2

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1830
WEBactivemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt
WEBpacketstormsecurity.com/files/156643/Apache-ActiveMQ-5.11.1-Directory-Traversal-Shell-Upload.html
WEBgithub.com/apache/activemq