CVE Vulnerabilities

CVE-2021-26117

Improper Authentication

Published: Jan 27, 2021 | Modified: Nov 20, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Activemq Apache 5.15.0 *
Activemq Apache 5.16.0 *
Activemq_artemis Apache * *

Potential Mitigations

References