CVE-2018-11775

CWE-295 — Improper Certificate Validation11 documents8 sources

Severity

7.4HIGH

EPSS

0.5%

top 34.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Activemq Apache Software Foundation Apache Activemq Oracle Enterprise Repository +1 more

Timeline

PublishedSep 10

Latest updateJul 23

Description

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages6 packages

▶Mavenorg.apache.activemq:activemq-client< 5.15.6

▶NVDapache/activemq< 5.15.6

▶CVEListV5apache_software_foundation/apache_activemq5.0.0 - 5.15.5

▶Debianactivemq< 5.15.6-1+2

▶NVDoracle/enterprise_repository12.1.3.0.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

activemq vulnerabilities↗2024-07-23

▶

OSV

Improper Certificate Validation in Apache activemq-client↗2018-10-19

▶

GHSA

Improper Certificate Validation in Apache activemq-client↗2018-10-19

▶

OSV

CVE-2018-11775: TLS hostname verification when using the Apache ActiveMQ Client before 5↗2018-09-10

▶

CVEList

CVE-2018-11775: TLS hostname verification when using the Apache ActiveMQ Client before 5↗2018-09-10

▶

📋Vendor Advisories

Ubuntu

Apache ActiveMQ vulnerabilities↗2024-07-23

▶

Red Hat

activemq: ActiveMQ Client Missing TLS Hostname Verification↗2018-09-10

▶

Debian

CVE-2018-11775: activemq - TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 wa...↗2018

▶

💬Community

Bugzilla

CVE-2018-11775 activemq: ActiveMQ Client Missing TLS Hostname Verification [fedora-all]↗2018-09-14

▶

Bugzilla

CVE-2018-11775 activemq: ActiveMQ Client Missing TLS Hostname Verification↗2018-09-14

▶