CVE-2014-3612 — Improper Authentication in Apache Activemq

CWE-287 — Improper Authentication CWE-20 — Improper Input Validation CWE-305 — Authentication Bypass by Primary Weakness10 documents7 sources

Severity

7.5HIGHNVD

GHSA5.0OSV5.0

EPSS

0.7%

top 27.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Activemq

Timeline

PublishedAug 24

Latest updateMay 17

Description

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶Debianapache/activemq< 5.6.0+dfsg1-4+2

▶NVDapache/activemq18 versions+17

🔴Vulnerability Details

GHSA

Improper Input Validation in Apache ActiveMQ↗2022-05-17

▶

GHSA

Improper Authentication in Apache WSS4J↗2022-05-14

▶

OSV

Improper Authentication in Apache WSS4J↗2022-05-14

▶

OSV

CVE-2014-3612: The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5↗2015-08-24

▶

CVEList

CVE-2014-3612: The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5↗2015-08-24

▶

📋Vendor Advisories

Red Hat

activemq: LDAPLoginModule implementation allows wildcard operators in usernames↗2015-08-24

▶

Red Hat

JAAS: LDAPLoginModule allows empty password authentication↗2015-02-05

▶

Debian

CVE-2014-3612: activemq - The LDAPLoginModule implementation in the Java Authentication and Authorization ...↗2014

▶

💬Community

Bugzilla

CVE-2014-3612 ActiveMQ JAAS: LDAPLoginModule allows empty password authentication↗2014-09-01

▶