CVE-2021-26117 – org.apache.activemq:activemq-parent

Package

Manager: maven
Name: org.apache.activemq:activemq-parent
Vulnerable Version: >=5.16.0 <5.16.1 || >=0 <5.15.14

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.163 pctl0.9459

Details

Improper Authentication in Apache ActiveMQ and Apache Artemis The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

Metadata

Created: 2021-06-16T17:39:35Z
Modified: 2024-03-14T21:31:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-9mgm-gcq8-86wq/GHSA-9mgm-gcq8-86wq.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-9mgm-gcq8-86wq
Finding: F006
Auto approve: 1