CVE-2015-6524Improper Input Validation in Apache Activemq

CWE-20Improper Input ValidationCWE-287Improper AuthenticationCWE-305Authentication Bypass by Primary Weakness11 documents7 sources
Severity
5.0MEDIUMNVD
CNA7.5GHSA7.5OSV7.5
EPSS
1.2%
top 21.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache ActivemqFedoraproject Fedora
Timeline
PublishedAug 24
Latest updateMay 17

Description

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

Debianapache/activemq< 5.6.0+dfsg1-4+2
NVDapache/activemq18 versions+17

Also affects: Fedora 22, 23

🔴Vulnerability Details

5
GHSA
Improper Input Validation in Apache ActiveMQ2022-05-17
OSV
Improper Input Validation in Apache ActiveMQ2022-05-17
GHSA
Improper Authentication in Apache WSS4J2022-05-14
CVEList
CVE-2015-6524: The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 52015-08-24
OSV
CVE-2015-6524: The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 52015-08-24

📋Vendor Advisories

3
Red Hat
activemq: LDAPLoginModule implementation allows wildcard operators in usernames2015-08-24
Red Hat
JAAS: LDAPLoginModule allows empty password authentication2015-02-05
Debian
CVE-2015-6524: activemq - The LDAPLoginModule implementation in the Java Authentication and Authorization ...2015

💬Community

2
Bugzilla
CVE-2015-6524 activemq: LDAPLoginModule implementation allows wildcard operators in usernames [fedora-all]2015-08-26
Bugzilla
CVE-2015-6524 activemq: LDAPLoginModule implementation allows wildcard operators in usernames2015-08-26
CVE-2015-6524 — Improper Input Validation in Apache | cvebase