CVE Vulnerabilities

CVE-2021-26117

Improper Authentication

Published: Jan 27, 2021 | Modified: Dec 07, 2021
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
8.1 IMPORTANT
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

Weakness

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Activemq Apache 5.15.0 *
Activemq Apache 5.16.0 *
Activemq_artemis Apache * *
Red Hat AMQ Broker 7 RedHat *
Red Hat AMQ Broker 7 RedHat *
Red Hat JBoss A-MQ 6.3 RedHat broker *
Red Hat JBoss Fuse 6.3 RedHat broker *
Activemq Ubuntu groovy *
Activemq Ubuntu hirsute *
Activemq Ubuntu trusty *
Activemq Ubuntu xenial *

Potential Mitigations

References