Hi all, A few months ago I raised the issue of a number of CVEs reported against AMQ which have no "fix for" version. I have some time again to look into this, and so I'd like to take them one by one.
https://nvd.nist.gov/vuln/detail/CVE-2015-5183 "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies." The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182) refers to the Hawt IO Console, and not anything in ActiveMQ. Although note that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11 release (https://issues.apache.org/jira/browse/AMQ-7322). As this CVE does not concern ActiveMQ at all, I would like to mail NIST and request that they change the CPE score to stop referencing ActiveMQ, and also update the description not to refer to ActiveMQ. It would be great if someone from the PMC could give me a +1 to this plan, and I will be able to link to this thread when contacting NIST. Colm.
